modiloader | 45196da24df8582560c84088e81b3eecbfb19f8da2fcd7cd75aed2d8851aeeba

Analysis

max time kernel
151s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ceab7e105d0a554716bd4cf98ed97cd.exe
Size

131KB
MD5

0ceab7e105d0a554716bd4cf98ed97cd
SHA1

c2d7189d1c2bea1a652d442d556a032de9d6bc73
SHA256

45196da24df8582560c84088e81b3eecbfb19f8da2fcd7cd75aed2d8851aeeba
SHA512

befbfabba7526837b42fcf3ffb2718eeaeb2a37e1fe30b30aa0f6b5c19d89baac942b0512d880b44ff85303e063bb320e982791a93f6e7508f7f78bcc71f28a2
SSDEEP

3072:SuyrHX1EedcfeO4iwQCxkhBzEpdVWNL/Ggi98FlDM9c:SuyrHX1XdpOTW3VWFGgMeDMe

Score

10^/10

modiloader evasion trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ceab7e105d0a554716bd4cf98ed97cd.exe

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/2136-1-0x0000000000400000-0x000000000047178B-memory.dmp	modiloader_stage2
behavioral1/memory/2136-11-0x00000000765C0000-0x00000000766B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2136-16-0x0000000000400000-0x000000000047178B-memory.dmp	modiloader_stage2

Loads dropped DLL 2 IoCs

pid	Process
2136	0ceab7e105d0a554716bd4cf98ed97cd.exe
2136	0ceab7e105d0a554716bd4cf98ed97cd.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0ceab7e105d0a554716bd4cf98ed97cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ceab7e105d0a554716bd4cf98ed97cd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	0ceab7e105d0a554716bd4cf98ed97cd.exe
Token: SeDebugPrivilege	2136	0ceab7e105d0a554716bd4cf98ed97cd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2136	0ceab7e105d0a554716bd4cf98ed97cd.exe
2136	0ceab7e105d0a554716bd4cf98ed97cd.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ceab7e105d0a554716bd4cf98ed97cd.exe

C:\Users\Admin\AppData\Local\Temp\0ceab7e105d0a554716bd4cf98ed97cd.exe
"C:\Users\Admin\AppData\Local\Temp\0ceab7e105d0a554716bd4cf98ed97cd.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\cmsetac.dll

Filesize
33KB

MD5
91e64b336de5e4005022a6d83c38f54e

SHA1
dc2e5b276ccc816d2860b24bdf65204c90a63faa

SHA256
876d656f21c588e803a0d14e6ddd60cab34864c80a539f7cb8c364809d5af2a4

SHA512
24458a68d242843925ae5c287c7990aff83c78281da78e91ee865d717e3e9a032035c42422f0c9e133fe1f9982d00e062b06420e344ca457bd8756ee0db3f61a

Download Submit
\Users\Admin\AppData\Local\Temp\ntdtcstp.dll

Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
memory/2136-11-0x00000000765C0000-0x00000000766B0000-memory.dmp

Filesize
960KB

Download
memory/2136-7-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2136-9-0x00000000023C0000-0x00000000023CE000-memory.dmp

Filesize
56KB

Download
memory/2136-1-0x0000000000400000-0x000000000047178B-memory.dmp

Filesize
453KB

Download
memory/2136-0-0x0000000000400000-0x000000000047178B-memory.dmp

Filesize
453KB

Download
memory/2136-12-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2136-13-0x0000000075430000-0x0000000075444000-memory.dmp

Filesize
80KB

Download
memory/2136-14-0x00000000002B0000-0x00000000002B8000-memory.dmp

Filesize
32KB

Download
memory/2136-15-0x00000000023C0000-0x00000000023CE000-memory.dmp

Filesize
56KB

Download
memory/2136-16-0x0000000000400000-0x000000000047178B-memory.dmp

Filesize
453KB

Download
memory/2136-19-0x00000000765C0000-0x00000000766B0000-memory.dmp

Filesize
960KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads