modiloader | 3ea6ff202b76d35ab062aa8ca1c5ac10b46e54d543f068ffedb1a5dbc32cbbda

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 22:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e2f091d7563e53ed96d7f29040805a9.exe
Size

1.2MB
MD5

1e2f091d7563e53ed96d7f29040805a9
SHA1

322d9e16b96a735ac2731ab6375d623bb4d31bcc
SHA256

3ea6ff202b76d35ab062aa8ca1c5ac10b46e54d543f068ffedb1a5dbc32cbbda
SHA512

96c16b9b40cb9ff07fe0e9615ceab66b5acbcfdb630f775d4f9c2071a6ec89fd42e2087c9888594626433c00e379d24e85d516ee4313faaebefba1ed662dc1b3
SSDEEP

24576:YPVNcSZZzcSOHYPxMpXTXRVoumkjc8cwzPS:Wjc2AAM3dc8cN

Score

10^/10

modiloader bootkit persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader First Stage 7 IoCs

resource	yara_rule
behavioral2/memory/3652-8-0x0000000005110000-0x000000000517C000-memory.dmp	modiloader_stage1
behavioral2/memory/444-11-0x0000000000400000-0x000000000045C000-memory.dmp	modiloader_stage1
behavioral2/memory/444-10-0x0000000000400000-0x000000000045C000-memory.dmp	modiloader_stage1
behavioral2/memory/444-20-0x0000000000400000-0x000000000045C000-memory.dmp	modiloader_stage1
behavioral2/memory/444-18-0x0000000000400000-0x000000000045C000-memory.dmp	modiloader_stage1
behavioral2/memory/444-17-0x0000000000400000-0x000000000045C000-memory.dmp	modiloader_stage1
behavioral2/memory/444-21-0x0000000000400000-0x000000000045C000-memory.dmp	modiloader_stage1

Blocklisted process makes network request 2 IoCs

flow	pid	Process
88	444	cmd.exe
172	444	cmd.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\wmis.job	cmd.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4540	1e2f091d7563e53ed96d7f29040805a9.exe
3652	notepad.exe
3652	notepad.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3652	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24
PID 4540 wrote to memory of 3652	4540	1e2f091d7563e53ed96d7f29040805a9.exe	24

C:\Users\Admin\AppData\Local\Temp\1e2f091d7563e53ed96d7f29040805a9.exe
"C:\Users\Admin\AppData\Local\Temp\1e2f091d7563e53ed96d7f29040805a9.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Writes to the Master Boot Record (MBR)
    - Drops file in Windows directory
    PID:444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/444-20-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/444-10-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/444-21-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/444-17-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/444-11-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/444-18-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/444-12-0x0000000000760000-0x0000000000768000-memory.dmp

Filesize
32KB

Download
memory/3652-7-0x0000000001290000-0x0000000001298000-memory.dmp

Filesize
32KB

Download
memory/3652-8-0x0000000005110000-0x000000000517C000-memory.dmp

Filesize
432KB

Download
memory/3652-13-0x0000000005110000-0x000000000517C000-memory.dmp

Filesize
432KB

Download
memory/3652-2-0x0000000001020000-0x0000000001022000-memory.dmp

Filesize
8KB

Download
memory/4540-4-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/4540-1-0x0000000000A40000-0x0000000000A4A000-memory.dmp

Filesize
40KB

Download
memory/4540-0-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/4540-6-0x0000000000A40000-0x0000000000A4A000-memory.dmp

Filesize
40KB

Download
memory/4540-3-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download