modiloader | 48c7eef81254424ca43b9302fcaf9e7dc8a3b6dd317d9c2526f142de934fa88f

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05606ed618ba2049f689624a5c92c59f.exe
Size

372KB
MD5

05606ed618ba2049f689624a5c92c59f
SHA1

abc1757c103c293785ec74ccf8654eb23b96d936
SHA256

48c7eef81254424ca43b9302fcaf9e7dc8a3b6dd317d9c2526f142de934fa88f
SHA512

f56f51175f8afc549d6f34af2a29181f4d30a9e1030286aef223502baa6b0e79b04eb0d62da4b3ac4fc5a198111b5d224be9890399fe9d5e92d34ad1e35223cc
SSDEEP

6144:s/gkkCIh1n1v1D1n1v1D1n1v1D1n1v1D1n1vJTJbJHJzJbJnJTJbJHJzJbJnJTJJ:lkWhlNJFNplNJFNplNJFNplNJFNplNJf

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\winllogon.exe\""	winllogon.exe

ModiLoader Second Stage 13 IoCs

resource	yara_rule
behavioral1/memory/2712-6-0x0000000000400000-0x0000000000460000-memory.dmp	modiloader_stage2
behavioral1/memory/2712-8-0x0000000000400000-0x0000000000460000-memory.dmp	modiloader_stage2
behavioral1/memory/2712-11-0x0000000000400000-0x0000000000460000-memory.dmp	modiloader_stage2
behavioral1/memory/2712-14-0x0000000000400000-0x0000000000460000-memory.dmp	modiloader_stage2
behavioral1/memory/2712-17-0x0000000000400000-0x0000000000460000-memory.dmp	modiloader_stage2
behavioral1/memory/2712-21-0x0000000000400000-0x0000000000460000-memory.dmp	modiloader_stage2
behavioral1/memory/2712-22-0x0000000000400000-0x0000000000460000-memory.dmp	modiloader_stage2
behavioral1/memory/2712-23-0x0000000000400000-0x0000000000460000-memory.dmp	modiloader_stage2
behavioral1/memory/2712-26-0x0000000000400000-0x0000000000460000-memory.dmp	modiloader_stage2
behavioral1/memory/2712-32-0x0000000000400000-0x0000000000460000-memory.dmp	modiloader_stage2
behavioral1/memory/2584-60-0x0000000000400000-0x0000000000460000-memory.dmp	modiloader_stage2
behavioral1/memory/2584-61-0x0000000000400000-0x0000000000460000-memory.dmp	modiloader_stage2
behavioral1/memory/2584-79-0x0000000000400000-0x0000000000460000-memory.dmp	modiloader_stage2

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80ON131A-46MV-620B-N5M0-714N78TIP1R6}	winllogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80ON131A-46MV-620B-N5M0-714N78TIP1R6}\StubPath = "\"C:\\Windows\\winllogon.exe\""	winllogon.exe

Executes dropped EXE 3 IoCs

pid	Process
2616	winllogon.exe
2584	winllogon.exe
2560	INFAMOUS HOOK V.O2.EXE

Loads dropped DLL 2 IoCs

pid	Process
2584	winllogon.exe
2584	winllogon.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\INFAMOUS HOOK V.O2.EXE	winllogon.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2676 set thread context of 2712	2676	05606ed618ba2049f689624a5c92c59f.exe	28
PID 2616 set thread context of 2584	2616	winllogon.exe	30

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\winllogon.exe	05606ed618ba2049f689624a5c92c59f.exe
File opened for modification	C:\Windows\winllogon.exe	05606ed618ba2049f689624a5c92c59f.exe
File opened for modification	C:\Windows\winllogon.exe	winllogon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE
2560	INFAMOUS HOOK V.O2.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2676	05606ed618ba2049f689624a5c92c59f.exe
2616	winllogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2712	2676	05606ed618ba2049f689624a5c92c59f.exe	28
PID 2676 wrote to memory of 2712	2676	05606ed618ba2049f689624a5c92c59f.exe	28
PID 2676 wrote to memory of 2712	2676	05606ed618ba2049f689624a5c92c59f.exe	28
PID 2676 wrote to memory of 2712	2676	05606ed618ba2049f689624a5c92c59f.exe	28
PID 2676 wrote to memory of 2712	2676	05606ed618ba2049f689624a5c92c59f.exe	28
PID 2676 wrote to memory of 2712	2676	05606ed618ba2049f689624a5c92c59f.exe	28
PID 2676 wrote to memory of 2712	2676	05606ed618ba2049f689624a5c92c59f.exe	28
PID 2676 wrote to memory of 2712	2676	05606ed618ba2049f689624a5c92c59f.exe	28
PID 2676 wrote to memory of 2712	2676	05606ed618ba2049f689624a5c92c59f.exe	28
PID 2676 wrote to memory of 2712	2676	05606ed618ba2049f689624a5c92c59f.exe	28
PID 2676 wrote to memory of 2712	2676	05606ed618ba2049f689624a5c92c59f.exe	28
PID 2712 wrote to memory of 2616	2712	05606ed618ba2049f689624a5c92c59f.exe	29
PID 2712 wrote to memory of 2616	2712	05606ed618ba2049f689624a5c92c59f.exe	29
PID 2712 wrote to memory of 2616	2712	05606ed618ba2049f689624a5c92c59f.exe	29
PID 2712 wrote to memory of 2616	2712	05606ed618ba2049f689624a5c92c59f.exe	29
PID 2616 wrote to memory of 2584	2616	winllogon.exe	30
PID 2616 wrote to memory of 2584	2616	winllogon.exe	30
PID 2616 wrote to memory of 2584	2616	winllogon.exe	30
PID 2616 wrote to memory of 2584	2616	winllogon.exe	30
PID 2616 wrote to memory of 2584	2616	winllogon.exe	30
PID 2616 wrote to memory of 2584	2616	winllogon.exe	30
PID 2616 wrote to memory of 2584	2616	winllogon.exe	30
PID 2616 wrote to memory of 2584	2616	winllogon.exe	30
PID 2616 wrote to memory of 2584	2616	winllogon.exe	30
PID 2616 wrote to memory of 2584	2616	winllogon.exe	30
PID 2616 wrote to memory of 2584	2616	winllogon.exe	30
PID 2584 wrote to memory of 2560	2584	winllogon.exe	31
PID 2584 wrote to memory of 2560	2584	winllogon.exe	31
PID 2584 wrote to memory of 2560	2584	winllogon.exe	31
PID 2584 wrote to memory of 2560	2584	winllogon.exe	31
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32
PID 2584 wrote to memory of 700	2584	winllogon.exe	32

C:\Users\Admin\AppData\Local\Temp\05606ed618ba2049f689624a5c92c59f.exe
"C:\Users\Admin\AppData\Local\Temp\05606ed618ba2049f689624a5c92c59f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\05606ed618ba2049f689624a5c92c59f.exe
  C:\Users\Admin\AppData\Local\Temp\05606ed618ba2049f689624a5c92c59f.exe
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\winllogon.exe
    "C:\Windows\winllogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\winllogon.exe
      C:\Windows\winllogon.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\INFAMOUS HOOK V.O2.EXE
        
        "C:\Windows\system32\INFAMOUS HOOK V.O2.EXE"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2560
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\winllogon.exe

Filesize
372KB

MD5
05606ed618ba2049f689624a5c92c59f

SHA1
abc1757c103c293785ec74ccf8654eb23b96d936

SHA256
48c7eef81254424ca43b9302fcaf9e7dc8a3b6dd317d9c2526f142de934fa88f

SHA512
f56f51175f8afc549d6f34af2a29181f4d30a9e1030286aef223502baa6b0e79b04eb0d62da4b3ac4fc5a198111b5d224be9890399fe9d5e92d34ad1e35223cc

Download Submit
\Windows\SysWOW64\INFAMOUS HOOK V.O2.EXE

Filesize
184KB

MD5
c4f002d211eae1dbe5b3b7f2272984a7

SHA1
647558c95bcd8bf28cbc9d262d5df52fb3f0724e

SHA256
5452158dd142fd0a14baecf1d23b4c3a619257eccca0a1bd4927fe6fdc0e5d20

SHA512
beee1390da386fe0eac98e42ff2e157e0936830d38bba477bfc89805213491b6d3ec118b18b4044a3e7c72eb55e027392b67e46179a249187073275e459cbb41

Download Submit
memory/2584-79-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2584-73-0x0000000010410000-0x0000000010449000-memory.dmp

Filesize
228KB

Download
memory/2584-61-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2584-60-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2712-11-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2712-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2712-21-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2712-22-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2712-23-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2712-26-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2712-17-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2712-32-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2712-14-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2712-2-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2712-8-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2712-6-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2712-4-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download