modiloader | e36a0dfa49890364967ce961dcc9a4a5b32b99a171f1aa7a505811679e2ce7b8

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 00:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1dd009ebff013b5e1b641e460e5eaa01.exe
Size

670KB
MD5

1dd009ebff013b5e1b641e460e5eaa01
SHA1

984ec64a577abbd3d5fbd69981f6345f1666063d
SHA256

e36a0dfa49890364967ce961dcc9a4a5b32b99a171f1aa7a505811679e2ce7b8
SHA512

812c299a45944f8c42641d4a9fc7f8bc205bc3daef0adc59bc7d31e0c9b848b01b2099b6f8791cec041734a790e15f7c000cfffc1c16b72b77d9b8fd4cd99d4d
SSDEEP

12288:y3og9mmldjsVd2/4fzF8F3Z4mxx9f3Rgi6uVWmwCmjs:uogJdPlQmX9/RNV6Q

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral2/memory/2736-80-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral2/memory/2396-83-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral2/files/0x00080000000231fc-74.dat	modiloader_stage2
behavioral2/memory/4852-72-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral2/memory/872-69-0x0000000003140000-0x000000000315B000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
4852	1.exe
2396	1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1dd009ebff013b5e1b641e460e5eaa01.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2396 set thread context of 2736	2396	1.exe	22

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt	1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt	1.exe

Program crash 1 IoCs

pid	pid_target	Process
676	2736	WerFault.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 4852	872	1dd009ebff013b5e1b641e460e5eaa01.exe	15
PID 872 wrote to memory of 4852	872	1dd009ebff013b5e1b641e460e5eaa01.exe	15
PID 872 wrote to memory of 4852	872	1dd009ebff013b5e1b641e460e5eaa01.exe	15
PID 4852 wrote to memory of 2240	4852	1.exe	24
PID 4852 wrote to memory of 2240	4852	1.exe	24
PID 4852 wrote to memory of 2240	4852	1.exe	24
PID 872 wrote to memory of 2396	872	1dd009ebff013b5e1b641e460e5eaa01.exe	23
PID 872 wrote to memory of 2396	872	1dd009ebff013b5e1b641e460e5eaa01.exe	23
PID 872 wrote to memory of 2396	872	1dd009ebff013b5e1b641e460e5eaa01.exe	23
PID 2396 wrote to memory of 2736	2396	1.exe	22
PID 2396 wrote to memory of 2736	2396	1.exe	22
PID 2396 wrote to memory of 2736	2396	1.exe	22
PID 2396 wrote to memory of 2736	2396	1.exe	22
PID 2396 wrote to memory of 2736	2396	1.exe	22

C:\Users\Admin\AppData\Local\Temp\1dd009ebff013b5e1b641e460e5eaa01.exe
"C:\Users\Admin\AppData\Local\Temp\1dd009ebff013b5e1b641e460e5eaa01.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:872
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\SysWOW64\mstsc.exe
    "C:\Windows\system32\mstsc.exe"
    3⤵
    PID:2240
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2736 -ip 2736
1⤵
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 12
1⤵
- Program crash
PID:676

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\system32\mstsc.exe"
1⤵
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt

Filesize
52B

MD5
ce66ab94aeffaa3d16632b3a10874a0f

SHA1
cdac03d1e09da01c5b4fd3f60d2aeac4412cfdb9

SHA256
9d5073d7c4095d7285ac6069d7dd3a74235c0dcf0cc70c18b7a560fc0293e3b9

SHA512
d01ca59d5767ffff0edfd68a6b199b62c1a078ab4c7926d7bb4374cd72ac74ffea29ce034094f2dc1220051eb35ea5f06c6b5c02cff908f21645e114df6c5183

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
680KB

MD5
8247a63ecec4a0d8946cd5f60db2aecd

SHA1
df8fb9139c315ccdddfd635cc9e86b0829a417c8

SHA256
0ed72f9f34cd62ae7ca811013230233d18385123be76cc9ba9754e982e879458

SHA512
2833f39dae9121b3a9ea67e780c799d5f482ba46cb07f50fd9b09fe95c1c9825f6dd37d1c625e971c0c5e8be37965797ee013745627fbf81b46c18940e4cf916

Download Submit
memory/872-39-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/872-36-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/872-49-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-62-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-88-0x0000000001000000-0x0000000001108000-memory.dmp

Filesize
1.0MB

Download
memory/872-70-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-2-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/872-3-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/872-69-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-68-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-67-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-5-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/872-65-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-64-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-63-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-61-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-60-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-59-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-57-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-56-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-55-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-54-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-53-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-52-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-51-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-50-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-48-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-47-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-43-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-42-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-41-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-40-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/872-0-0x0000000001000000-0x0000000001108000-memory.dmp

Filesize
1.0MB

Download
memory/872-35-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-1-0x0000000000590000-0x00000000005E4000-memory.dmp

Filesize
336KB

Download
memory/872-37-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/872-38-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/872-34-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/872-33-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/872-32-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/872-31-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/872-30-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/872-29-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/872-28-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/872-27-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/872-26-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/872-25-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-24-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-21-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-20-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-19-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-18-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-17-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-16-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-15-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-14-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-13-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/872-12-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-11-0x0000000003140000-0x000000000315B000-memory.dmp

Filesize
108KB

Download
memory/872-10-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/872-9-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/872-8-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/872-7-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/872-6-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/872-4-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2396-83-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2736-80-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4852-72-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads