modiloader | c251e41ace16d333ca13ea0a4e57a897f54d5b11ba976318bb6c144728cf2616

Analysis

max time kernel
149s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 22:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1e3b33cd588967d5a73dc17a7d56e901.exe
Size

151KB
MD5

1e3b33cd588967d5a73dc17a7d56e901
SHA1

78b7e6c59ed6a8fc6f6579ca741f5df065f5f553
SHA256

c251e41ace16d333ca13ea0a4e57a897f54d5b11ba976318bb6c144728cf2616
SHA512

411b461c41360ddbebe368b532c0bee514507972d843841082b21068ed6d44bcd1f31ad804102ab8146669ce4044240435f203142ab0ed6e8d8da93ef85ad06f
SSDEEP

3072:7TckoauN1wPdDkT2hNMBQHuxUT/oUp4cKH+pfzRt9RTwXoSXjf7:7FXuNGdDkTXjgbp7RVTwXoa

Score

10^/10

modiloader trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral2/memory/3472-52-0x0000000010410000-0x000000001046D000-memory.dmp	modiloader_stage2
behavioral2/memory/3472-66-0x0000000010410000-0x000000001046D000-memory.dmp	modiloader_stage2
behavioral2/memory/3472-51-0x0000000010410000-0x000000001046D000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
5068	netservice.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5068-47-0x0000000010410000-0x000000001046D000-memory.dmp	upx
behavioral2/memory/3472-52-0x0000000010410000-0x000000001046D000-memory.dmp	upx
behavioral2/memory/3472-66-0x0000000010410000-0x000000001046D000-memory.dmp	upx
behavioral2/memory/3472-51-0x0000000010410000-0x000000001046D000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\netservice.exe	1e3b33cd588967d5a73dc17a7d56e901.exe
File opened for modification	C:\Windows\SysWOW64\netservice.exe	1e3b33cd588967d5a73dc17a7d56e901.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2636	1e3b33cd588967d5a73dc17a7d56e901.exe
2636	1e3b33cd588967d5a73dc17a7d56e901.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5068	netservice.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5068	netservice.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 4892	2636	1e3b33cd588967d5a73dc17a7d56e901.exe	22
PID 2636 wrote to memory of 4892	2636	1e3b33cd588967d5a73dc17a7d56e901.exe	22
PID 2636 wrote to memory of 4892	2636	1e3b33cd588967d5a73dc17a7d56e901.exe	22
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21
PID 5068 wrote to memory of 3472	5068	netservice.exe	21

C:\Users\Admin\AppData\Local\Temp\1e3b33cd588967d5a73dc17a7d56e901.exe
"C:\Users\Admin\AppData\Local\Temp\1e3b33cd588967d5a73dc17a7d56e901.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\1e3b33cd588967d5a73dc17a7d56e901.exe"
  2⤵
  PID:4892

C:\Windows\SysWOW64\netservice.exe
C:\Windows\SysWOW64\netservice.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\SysWOW64\svchost.exe
  "svchost.exe"
  2⤵
  PID:3472

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\netservice.exe

Filesize
151KB

MD5
1e3b33cd588967d5a73dc17a7d56e901

SHA1
78b7e6c59ed6a8fc6f6579ca741f5df065f5f553

SHA256
c251e41ace16d333ca13ea0a4e57a897f54d5b11ba976318bb6c144728cf2616

SHA512
411b461c41360ddbebe368b532c0bee514507972d843841082b21068ed6d44bcd1f31ad804102ab8146669ce4044240435f203142ab0ed6e8d8da93ef85ad06f

Download Submit
memory/2636-0-0x0000000013140000-0x000000001319A000-memory.dmp

Filesize
360KB

Download
memory/2636-1-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2636-9-0x0000000013140000-0x000000001319A000-memory.dmp

Filesize
360KB

Download
memory/3472-50-0x0000000004070000-0x0000000004071000-memory.dmp

Filesize
4KB

Download
memory/3472-52-0x0000000010410000-0x000000001046D000-memory.dmp

Filesize
372KB

Download
memory/3472-66-0x0000000010410000-0x000000001046D000-memory.dmp

Filesize
372KB

Download
memory/3472-51-0x0000000010410000-0x000000001046D000-memory.dmp

Filesize
372KB

Download
memory/3472-11-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3472-10-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/5068-47-0x0000000010410000-0x000000001046D000-memory.dmp

Filesize
372KB

Download
memory/5068-7-0x0000000000560000-0x00000000005A0000-memory.dmp

Filesize
256KB

Download
memory/5068-6-0x0000000013140000-0x000000001319A000-memory.dmp

Filesize
360KB

Download
memory/5068-67-0x0000000013140000-0x000000001319A000-memory.dmp

Filesize
360KB

Download