modiloader | 5dfff5ac350d6e51a5ec28fe728d9c918a1f5882241c6660aa303d4dae0ad5e4

Analysis

max time kernel
120s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02dcad2dc67e6808fb7eab1bb84ffcae.exe
Size

312KB
MD5

02dcad2dc67e6808fb7eab1bb84ffcae
SHA1

f15eaa4e8115abed28f5f53ec59d38995a066437
SHA256

5dfff5ac350d6e51a5ec28fe728d9c918a1f5882241c6660aa303d4dae0ad5e4
SHA512

601552ee1dd7669dbd76439bf25cc592c19b715297e17d0e017d8b751753e255561296efa69fceba6ce82f06333aa3b4ae93fa2697bbad041c0dac797ad0f3f5
SSDEEP

6144:j80Mh2tKu20EIixqjqEwS8C3dbzmclGkpYRMcOqwpfYqFSV6T:/Mh2tk0ji0FwS8KlGkpnBHpA0SV6

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2228-5-0x0000000000400000-0x000000000050F000-memory.dmp	modiloader_stage2

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FieleWay.txt	02dcad2dc67e6808fb7eab1bb84ffcae.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2228 set thread context of 608	2228	02dcad2dc67e6808fb7eab1bb84ffcae.exe	28

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{461E7841-A6A6-11EE-A675-6E556AB52A45} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410056237"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
608	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
608	IEXPLORE.EXE
608	IEXPLORE.EXE
2296	IEXPLORE.EXE
2296	IEXPLORE.EXE
2296	IEXPLORE.EXE
2296	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 608	2228	02dcad2dc67e6808fb7eab1bb84ffcae.exe	28
PID 2228 wrote to memory of 608	2228	02dcad2dc67e6808fb7eab1bb84ffcae.exe	28
PID 2228 wrote to memory of 608	2228	02dcad2dc67e6808fb7eab1bb84ffcae.exe	28
PID 2228 wrote to memory of 608	2228	02dcad2dc67e6808fb7eab1bb84ffcae.exe	28
PID 2228 wrote to memory of 608	2228	02dcad2dc67e6808fb7eab1bb84ffcae.exe	28
PID 608 wrote to memory of 2296	608	IEXPLORE.EXE	29
PID 608 wrote to memory of 2296	608	IEXPLORE.EXE	29
PID 608 wrote to memory of 2296	608	IEXPLORE.EXE	29
PID 608 wrote to memory of 2296	608	IEXPLORE.EXE	29

C:\Users\Admin\AppData\Local\Temp\02dcad2dc67e6808fb7eab1bb84ffcae.exe
"C:\Users\Admin\AppData\Local\Temp\02dcad2dc67e6808fb7eab1bb84ffcae.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2228
- C:\program files\internet explorer\IEXPLORE.EXE
  "C:\program files\internet explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:608
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:608 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ef1eedac77a389da364f010ab0bbad08

SHA1
a055f7bd1fbd6c897e09a15f613bcd2b2168268a

SHA256
ce25a2219e80cf19d735aa59e66bbbe5de28c8f0f78be26479a690d30cb6fbca

SHA512
805fe51ea0f559bd341ed5c74c6fd64f314d211ee97628c98caa44a6b42dab00551201557ae3e58cad7187e9ea2b037fa05628dac622efe09e2548ec1d5bae64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ce057273a69824d49ca71c82b4fbeba3

SHA1
4ad1e20dfd97e0213c9730363a657afb3c557f2e

SHA256
20992da181e3c0e49c12bbe7ed886aa842910f47584b0a28afa06ed8f8d04061

SHA512
f9aa38d802d26caff9453d4191b0f9cd7bd1c876acdb97b7eaf5d691e28a6e33973c56294e878522d6500f0495e2af77d1a4df2ed9b72c15bae09f5f7ee4afbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7ab14e17d37cde46f52dde1557016def

SHA1
2adfca220dd3b497318ba2a784b04d3dc9f0f5de

SHA256
ae5749fbbb8227219a812c03c90492155384715f9a7172496f9cc442910180a0

SHA512
3d6df4e7905a1f743721b09e470a15a350ae51979b46d9a5bd9c6a3b85c420c1904d470f6b60342a517db021080e20f49a2f036caddc9303900531dbf0674ea3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c163bc86844c74d407c96e5356483ffe

SHA1
4eb21aad338e8f076f4297bd9491688101df1983

SHA256
71c3dd0f0ffa4ac3b0d5fac8f7aaa3e20fe65652cc3cdb098aee3d9fcf151ae5

SHA512
4d0bedd82ba1bc86fadbd25cb486812402d04858d1527fc51e6a4cc059d6364a834615a8dc5aabd61f5a43c1d3a3ddbd999051a8ea7297a824692f74a9f8d95b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9fe65997458074a5368bb3787a2f2fcd

SHA1
36d5d8576bbf96daa2a1fcd00040dda645f25ea4

SHA256
61fcead6860d7928046af8a5c64e201f469dbe95867c4f70d3bb5d588594b194

SHA512
8d816f57ad80e59fe6a49ec482ae6ca7774f3b65b6a73813832730b5a489dfe18cc17b741d8d2e30d0b3cd61860f0617e6b568d51051a7b7ea3aed560ee7e5cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4f060d66ef3cfc13797ad9e38aea3764

SHA1
52ca15ab62db480e09eb9181e0fe2747988b093d

SHA256
252420f2cf14ca850f84c98ee70a9450641152cc5fab739e0285aa161952c420

SHA512
945276cef218701d2d298372498d81e904e61b6853e19ef52600586dbc3a0350b3c638fdd877fc13c529b3c26a5e9b7c5d73dc332fb23ddb07b3adacb80d87b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f8d85be4f65592e6aa7f12f1414669ce

SHA1
9480926f15c49696438e72cbc1c349f97f5decd4

SHA256
5f0e486299cda86478aaa63fd8a835b81345fefd5dea9ba2d67e1b297461ddcd

SHA512
5298d1e96dac2f4871561a4a7491545d0c38d9f18d386e313104dfbeea1e045c595129c1fdd5f5d14f55fb09184bdde9acfe3b5f72868b7253200356733b4b97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
205465c55c556cdf38f0e01bb38fd6af

SHA1
c48b183f272ee1d4bbc68e0c5f4dafdaa8715531

SHA256
49e7316d81af4778eb62d36d7ed5d04b050f47c4fc0ead0b751b5c68745b6445

SHA512
9e3e56f36f8f1de1d1d66c3b4c4a3ee0ea0359cc249deacb297b44b5ec40334da3ef5376afb7419a5ad64eafc11ec1a7efcb261feef08013cf697e6c6ae656a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
39ff54b8470b65196bd913cb7d63898e

SHA1
90be3704c3fb79639f7c9a134b43e34939a02643

SHA256
4cee27bff7505e937cee11b44ee504fef7d3a76dac3fa4dc3563da685696bf89

SHA512
4ef65b43234070e27ac1f5f4e2b6339f093989a327dd39c148f200beb9a59c3f64f904fbe8a6bae3b3d3fed6c07cd552778e8bf16bc44b0a2b073e49eacc41c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6b124cc8b056c021b114203af7bf4eca

SHA1
3b0566c776ef7f07e76216cb2f96fec04856d44c

SHA256
1f1e970f24279bd729587d5125a5b0799cb5c9589a7297e884fd62decee936d8

SHA512
a710ff6796150a83723d3d247e9cb2355372d5e61e2d5cdfcbd1ef1cc18b4681c4801438913025b2947749fb7f76c15f65f993dafdb555a01c18b89178404c49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f356411aa2424e9a522709aa2ef637bc

SHA1
772e08e039c932866bbf29c0dcd1f11d0b537e3a

SHA256
e553c7a25172634f967fa9913a3dbfce96cdde8efc4b93fa9b1d4114ea2b5358

SHA512
2fd8e7595337597f4921dc9622d3ff86651610993dadfde215075abf578ca220508b679568df1f4576588ac61999204cec2c2e052f6e0d21791182041447be05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c9cdcb65809956c60b2f2051a4bf4052

SHA1
0cb302a752faa99c486c1537ca9e22cd7b226fea

SHA256
25ccd8baac9c52557d00b6e15bfd0c0a7506699878c4027f58dd6c59e9253f6d

SHA512
e57e4d244203c1ed37cef07f78eddea484f4d5b4d46484ba78d353e4d156851f3134f12996d7b27636d7ac001582f9a16e1015021aaa49d77236d72a6b2e63e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d3cc5cf4b917c8ef8cc70d0835a5e364

SHA1
ba5dda4110881b355ba2ad2d15ae07da09f78a80

SHA256
efb7205a2b15576b2517f80a307ae3cf5c33633384c792ea5763ddf94f67f159

SHA512
903cb00f49873e757fa1947a218ca8e1360cc5e79f5c981fa12ad66ab49fd0494f1a99262058db2fa9ecf89d4db1134d2d9fe5a2680ba9e36876a773200b900c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f25a0d6b31e6fea1ac9677976f18a8ee

SHA1
c1ec9578e325286eac4994970bf981ae30793ffd

SHA256
c9d9dd9a0429bb1b8905f96318a17cc4f575175dfdf9ffa64457726a108832d8

SHA512
f422d9dffc309f48a0b3618a39d04eb77698a209d950ea74a2556b359a35a029c7b6d92cc05f282411f225dff5d0355c870ad716c956820f23c1e0445111b2bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab82B8.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8481.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/608-4-0x0000000000160000-0x000000000026F000-memory.dmp

Filesize
1.1MB

Download
memory/2228-5-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download
memory/2228-2-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2228-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2228-0-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download