modiloader | cb5d4820d476a3eb01b9c5289d5937a4e86448750876a9f730e2aebd4444e73f

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 04:47

Target

55733a8e9c13dbbf4472143a87240467.exe
Size

61KB
MD5

55733a8e9c13dbbf4472143a87240467
SHA1

687ebc5e32ba49e0abe2198f4e2323c3a2ca9a9d
SHA256

cb5d4820d476a3eb01b9c5289d5937a4e86448750876a9f730e2aebd4444e73f
SHA512

ae8ed80e5f83c7d4318aaa3fcd5a2b59338da174061c13856b11033f16ceb55aa6c292d60722d601ddb7bdb214e8282dd0f2f6b7b8df3f6be10f28cbea5df77e
SSDEEP

1536:Vm7wjsVTJ+p3JrkGLawHE/E2j+ENmYJgU9BNtVhn4hFdFWsMZ:y+sVT45mn/bjnNqU9B55QFHGZ

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/2040-1-0x0000000000400000-0x000000000042103E-memory.dmp	modiloader_stage2
behavioral1/memory/2040-2-0x0000000000400000-0x000000000042103E-memory.dmp	modiloader_stage2
behavioral1/files/0x000b000000012243-3.dat	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
1184	temp.exe
2400	tcpip.exe

Loads dropped DLL 2 IoCs

pid	Process
2500	cmd.exe
2500	cmd.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tcpip.exe	temp.exe
File opened for modification	C:\Windows\SysWOW64\tcpip.exe	temp.exe
File created	C:\Windows\SysWOW64\vvvvvvvv.bat	temp.exe
File created	C:\Windows\SysWOW64\winsystem.dll	tcpip.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1184	temp.exe
Token: SeDebugPrivilege	2400	tcpip.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2500	2040	55733a8e9c13dbbf4472143a87240467.exe	28
PID 2040 wrote to memory of 2500	2040	55733a8e9c13dbbf4472143a87240467.exe	28
PID 2040 wrote to memory of 2500	2040	55733a8e9c13dbbf4472143a87240467.exe	28
PID 2040 wrote to memory of 2500	2040	55733a8e9c13dbbf4472143a87240467.exe	28
PID 2500 wrote to memory of 1184	2500	cmd.exe	30
PID 2500 wrote to memory of 1184	2500	cmd.exe	30
PID 2500 wrote to memory of 1184	2500	cmd.exe	30
PID 2500 wrote to memory of 1184	2500	cmd.exe	30
PID 1184 wrote to memory of 2788	1184	temp.exe	32
PID 1184 wrote to memory of 2788	1184	temp.exe	32
PID 1184 wrote to memory of 2788	1184	temp.exe	32
PID 1184 wrote to memory of 2788	1184	temp.exe	32
PID 2400 wrote to memory of 1188	2400	tcpip.exe	17

C:\Windows\SysWOW64\vvvvvvvv.bat

Filesize
136B

MD5
62d9458eb6f619c54437f7b0fbf61b4a

SHA1
2e0dad7bce2fd724d66f4f448207c106615672a1

SHA256
5fa2bcfd5ab256d593d88b4164d42bb80037957d1bfaf93761848cb2742d76a3

SHA512
8913fbb1a26c39fb785ff12df80a289ff0783f99892b0782153e64f0551b144e8fc0c52d110b1a8fbfce0802b8b7e45b89331f77ff3f676d210e7b192d45b449

Download Submit
\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
44KB

MD5
2f6dc866d08223a116b1c6eadb39aa94

SHA1
5c42be0b2ac9dd183ec9c449e04166d7411f7782

SHA256
424866e685d0415a668f030c5c8246fb40677ddbb9ed6ddbfea1b0e26a29da74

SHA512
5625cd86258313e4b328b805a10f8cd218919c3c088497e34be4f2879cc357fe3f53c40187bf228b0f91415d3ea779f634858215a6629857c1657a739710d674

Download Submit
memory/1188-18-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/2040-1-0x0000000000400000-0x000000000042103E-memory.dmp

Filesize
132KB

Download
memory/2040-2-0x0000000000400000-0x000000000042103E-memory.dmp

Filesize
132KB

Download