modiloader | 17d4525c32daf16d784fe28a29a07fc0066ac892d85ea09b7caa5bd4cb0c6d0e

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

werty.exe
Size

1.0MB
MD5

0c5bfdf29140cee7c34fa6166a1755c8
SHA1

adbc915a64c49396e67c6d2b6aaaeda987bd9eb5
SHA256

9a9f94e9ff3046494728f6f9d12d4da6700b57b38d1a151d24b903f4d41758cd
SHA512

cd1b303b9cbdcae35c91f5f5e9efe3f532bde69189fe146f271c84bd258e60e0a66a347fd59247ead197c0abd7d4d208fec895a12aabf51f282d907e4b353f99
SSDEEP

24576:IWBKQmXDpp02onnUhfH36pnBDoRUsujZdI/4XPU7eGAzxczoueZ7Z1:IMmTL0Vn2sUud+4XPr4ox

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000122e4-42.dat	modiloader_stage2
behavioral1/memory/2652-54-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\Beep.sys	werty.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Beep.sys	werty.exe

Executes dropped EXE 1 IoCs

pid	Process
2652	2009_server.exe

Loads dropped DLL 2 IoCs

pid	Process
2416	werty.exe
2416	werty.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt	2009_server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
464	Process not Found
464	Process not Found

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2652	2416	werty.exe	28
PID 2416 wrote to memory of 2652	2416	werty.exe	28
PID 2416 wrote to memory of 2652	2416	werty.exe	28
PID 2416 wrote to memory of 2652	2416	werty.exe	28
PID 2652 wrote to memory of 2084	2652	2009_server.exe	29
PID 2652 wrote to memory of 2084	2652	2009_server.exe	29
PID 2652 wrote to memory of 2084	2652	2009_server.exe	29
PID 2652 wrote to memory of 2084	2652	2009_server.exe	29

C:\Users\Admin\AppData\Local\Temp\werty.exe
"C:\Users\Admin\AppData\Local\Temp\werty.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\2009_server.exe
  "C:\Users\Admin\AppData\Local\Temp\2009_server.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\2009_server.exe

Filesize
688KB

MD5
33a42b59d3e63577a706273e910a8868

SHA1
04b60b57e9a3b4882c4ccdb16975ce4e11d07ddf

SHA256
29f9aa3363a2ea83c4010e07ce277e448059f61c6f4b9882e64561d93815ed87

SHA512
049c88aad522e8e4bce6cde525eae5ccd4ed8c774df01f7a866d952fa74ceffb2cd38bcdce5b980859f758685be8f230ad2bf2b79f74bcc5a78a5c917c2fde14

Download Submit
memory/2416-13-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2416-11-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/2416-4-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2416-3-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2416-5-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2416-27-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/2416-26-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

Filesize
4KB

Download
memory/2416-25-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/2416-24-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/2416-23-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/2416-22-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/2416-21-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/2416-20-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download
memory/2416-19-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2416-18-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2416-17-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/2416-16-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2416-15-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2416-14-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2416-1-0x0000000000340000-0x0000000000394000-memory.dmp

Filesize
336KB

Download
memory/2416-2-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2416-10-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2416-12-0x0000000003180000-0x0000000003182000-memory.dmp

Filesize
8KB

Download
memory/2416-9-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2416-8-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2416-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2416-28-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/2416-29-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2416-30-0x0000000003170000-0x0000000003175000-memory.dmp

Filesize
20KB

Download
memory/2416-32-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2416-31-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2416-34-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/2416-33-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2416-36-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/2416-37-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/2416-35-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/2416-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2416-49-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2416-50-0x0000000000340000-0x0000000000394000-memory.dmp

Filesize
336KB

Download
memory/2652-51-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2652-54-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download