modiloader | 17d4525c32daf16d784fe28a29a07fc0066ac892d85ea09b7caa5bd4cb0c6d0e

Analysis

max time kernel
148s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

werty.exe
Size

1.0MB
MD5

0c5bfdf29140cee7c34fa6166a1755c8
SHA1

adbc915a64c49396e67c6d2b6aaaeda987bd9eb5
SHA256

9a9f94e9ff3046494728f6f9d12d4da6700b57b38d1a151d24b903f4d41758cd
SHA512

cd1b303b9cbdcae35c91f5f5e9efe3f532bde69189fe146f271c84bd258e60e0a66a347fd59247ead197c0abd7d4d208fec895a12aabf51f282d907e4b353f99
SSDEEP

24576:IWBKQmXDpp02onnUhfH36pnBDoRUsujZdI/4XPU7eGAzxczoueZ7Z1:IMmTL0Vn2sUud+4XPr4ox

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023143-51.dat	modiloader_stage2
behavioral2/memory/3352-60-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral2/files/0x0009000000023143-55.dat	modiloader_stage2
behavioral2/files/0x0009000000023143-54.dat	modiloader_stage2

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\Beep.sys	werty.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Beep.sys	werty.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	werty.exe

Executes dropped EXE 1 IoCs

pid	Process
3352	2009_server.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt	2009_server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 3352	4312	werty.exe	34
PID 4312 wrote to memory of 3352	4312	werty.exe	34
PID 4312 wrote to memory of 3352	4312	werty.exe	34
PID 3352 wrote to memory of 5520	3352	2009_server.exe	33
PID 3352 wrote to memory of 5520	3352	2009_server.exe	33

C:\Users\Admin\AppData\Local\Temp\werty.exe
"C:\Users\Admin\AppData\Local\Temp\werty.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Users\Admin\AppData\Local\Temp\2009_server.exe
  "C:\Users\Admin\AppData\Local\Temp\2009_server.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3352

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
1⤵
PID:5520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2009_server.exe

Filesize
180KB

MD5
f097c36eab94bfd2ab7234577067fd54

SHA1
2ee615a9a81c8c34040788b07517e803d71c889f

SHA256
0fa22376dbc8479a6222f0aaa2db96b29dc15493566aefefda00b040f6291f39

SHA512
d0b99442aec262e59a50b77e7b96c8a8f5f0348923994ea97365c3e88dabf1de7597d3a8f4bbbd2180d809e5294392b113d796e1bb0083df8d4d43202ba7d61d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2009_server.exe

Filesize
243KB

MD5
72ef67f3370891bfcb95ff02b021b7b9

SHA1
5bb6e3be928704b2fa2fc86a87a6d197d4b82b4e

SHA256
78c5736eb8047f42f88cd2bfa1a60d4cc2fd05d38b185bfdada5d95b00d6faec

SHA512
c84a2a9414f1e32311598f5695dc564af6fff4214ab48dfcebfc053f96000b1a7a0e7cae3d39b324925a4c656b3db93376c09b310efa4d124392f04ac2b6b5dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2009_server.exe

Filesize
188KB

MD5
1f947cd7823ede2147d45ec584cd88f1

SHA1
d142f8c2d210f9bb2f94f31ae37ddc147c7958ef

SHA256
660581bf58b9b3bf80a07c1e5b2b896a46bcd7cf694a893105faf96d1f85d1aa

SHA512
6125860b5f5a12fd1ac34255d4695dc8b913de20ebe58548b46f145201710a30d664d3954ec86feed1ee26bbc7d9a02e5d617eb3b2d189a61f2caca7079468c3

Download Submit
memory/3352-60-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/3352-58-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/4312-27-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4312-36-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/4312-9-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/4312-45-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/4312-44-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/4312-43-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4312-42-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/4312-41-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/4312-40-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/4312-39-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/4312-38-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/4312-37-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/4312-25-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/4312-35-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/4312-34-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/4312-33-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/4312-32-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/4312-31-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/4312-30-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/4312-29-0x0000000003410000-0x0000000003415000-memory.dmp

Filesize
20KB

Download
memory/4312-28-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/4312-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4312-1-0x0000000002260000-0x00000000022B4000-memory.dmp

Filesize
336KB

Download
memory/4312-26-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4312-17-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/4312-23-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/4312-22-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/4312-21-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/4312-20-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/4312-19-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/4312-18-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/4312-24-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/4312-16-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/4312-15-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/4312-14-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/4312-13-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/4312-11-0x0000000003420000-0x0000000003422000-memory.dmp

Filesize
8KB

Download
memory/4312-10-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/4312-7-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/4312-8-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/4312-6-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/4312-5-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/4312-4-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/4312-3-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/4312-2-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/4312-57-0x0000000002260000-0x00000000022B4000-memory.dmp

Filesize
336KB

Download
memory/4312-56-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download