modiloader | 71e2410652d7aeba1175f5c83da40688333431ce60a6582f8d1459f82fc479b6

Analysis

max time kernel
118s
max time network
147s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f244ee308e134658888ff333caabe77.exe
Size

265KB
MD5

0f244ee308e134658888ff333caabe77
SHA1

6a5aeba31771e15fe6bc6208d991ba82d070d710
SHA256

71e2410652d7aeba1175f5c83da40688333431ce60a6582f8d1459f82fc479b6
SHA512

ded076c4a738cba5020e55783efe678199e656fbf0c8acac5843fb90d2eabb80e07a78b3c36332724635c80c00080892981669131980fca6400ecb288a30f391
SSDEEP

6144:nj0KL1qSJ6pP4swH3PJ/C+Qt24HpE50eAHxBMtcyQk4Ai:gKL1qBpgsSR/C+D4J6HtB+x

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/2388-6-0x0000000000400000-0x0000000000504000-memory.dmp	modiloader_stage2
behavioral1/memory/2388-5-0x0000000000400000-0x0000000000504000-memory.dmp	modiloader_stage2

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2388 set thread context of 484	2388	0f244ee308e134658888ff333caabe77.exe	16

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt	0f244ee308e134658888ff333caabe77.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ACAAAAA1-A82E-11EE-9240-46FAA8558A22} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410224762"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
484	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
484	IEXPLORE.EXE
484	IEXPLORE.EXE
2504	IEXPLORE.EXE
2504	IEXPLORE.EXE
2504	IEXPLORE.EXE
2504	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 484	2388	0f244ee308e134658888ff333caabe77.exe	16
PID 2388 wrote to memory of 484	2388	0f244ee308e134658888ff333caabe77.exe	16
PID 2388 wrote to memory of 484	2388	0f244ee308e134658888ff333caabe77.exe	16
PID 2388 wrote to memory of 484	2388	0f244ee308e134658888ff333caabe77.exe	16
PID 2388 wrote to memory of 484	2388	0f244ee308e134658888ff333caabe77.exe	16
PID 484 wrote to memory of 2504	484	IEXPLORE.EXE	15
PID 484 wrote to memory of 2504	484	IEXPLORE.EXE	15
PID 484 wrote to memory of 2504	484	IEXPLORE.EXE	15
PID 484 wrote to memory of 2504	484	IEXPLORE.EXE	15

C:\Users\Admin\AppData\Local\Temp\0f244ee308e134658888ff333caabe77.exe
"C:\Users\Admin\AppData\Local\Temp\0f244ee308e134658888ff333caabe77.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2388
- C:\program files\internet explorer\IEXPLORE.EXE
  "C:\program files\internet explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:484

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:484 CREDAT:275457 /prefetch:2
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c217ab0193c6edaf7515c797258da424

SHA1
a9e2e9919b3e95664d254a8cefe7bd63a3cc93f6

SHA256
add59eaf36f886fa65722bdfbc8a922b7dfd896608939cce6a6e8d8dbb0d5ad6

SHA512
44f64dd9dd14ec659a88556f7578ec0fb5989c8096f887ea4eef046efb31f75653ae9781e39db41d869c4c248b56c6c2fdebfe7114f284564fac054454165874

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f486a2c286063227fd0d7176a4091fe7

SHA1
b395980a5cdfd4a112a7713a8bb484907f99c60f

SHA256
f0978a1ab68b535ac90c4be06c987b2e51a304ebccb2b10363fdefe0ebf84e50

SHA512
68f247c2f0c38d7c858750dc6624bc7facf60a086647f943f2663eebd52812a0cc26b974a94087fc5f948d89f3b15785a33f5f8e8ae369e3507a80b2014f3074

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8d321d6bf67063ab2dd7bf9e43a6763a

SHA1
2145b1e1c8cf0508523157eb7c12a41d12444618

SHA256
41ed27387c3e6ca55cbcec71cb634bc9d84bfd77fd67c7c7e640fdfba91b78fd

SHA512
a7c0b70140cdaf42ab1404e79dad8e37caef7027a0b32df5b4d6aab9673f8a7daac6765555ebeba16059388782e0fac04c924bb110b6bb6430767e27fa11f1ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
79b12ab141b7ca36ac51fa77f37c7ccc

SHA1
ecfbd915625b6a796a9d57abf2bd1ede1cdef19d

SHA256
61a77bc9b2c6d51d78d21d4aba1119b5541b9b4055b071bd77a7c9cc542fab67

SHA512
b572343f46229b2a3b04b3c11bd3905e8f8a7231208e542040bfe9686e78a379e7634fcc63f8025684fd24bcbe58e3685b07656ea01182a62de7e43c58dd39cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c7a09dc20ae5b97f50ae225af3417da4

SHA1
f3d4f477e996660784a2bf224c8f09711925eb56

SHA256
9f954e577d190bbd438852ea0ec54b321fdd75cdbb3fa594931d8fe12c2f93d9

SHA512
716744b86f71264a758c81e9bff78d0230e114d88fe45c3712b0218ff0c0fbe1e0064486850b7e886d1badeb68ee39eac0d4686299916393116a0bfabcc1a87c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d351a1e3442b33162538e99ab3e67354

SHA1
ecdf7ce808d320f155af4196e6618269a0f0aea8

SHA256
b19348b0fb934a4aec256fd22e36f66ed25a73192df23b06882a310a12b29b74

SHA512
60f5223e79042afb641ad6f7ba9c13099200e200bbdc2fb0176fa4e1e458e0bab8d6b2a6eb1489c04bd19d0c71d48eda1493a4bcef7cf24ae6840f820cfa17cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0ed046b04a5afa518853207507e92c31

SHA1
068320f5b8fae91fab3876284976d97b13f56d3c

SHA256
58bd697947983b7ab0b6fa1dd9dd0529eb91c2d90467f760c3db35b734a51b86

SHA512
219bbe9cb0b72221439fc133348d86b7a8a026e6a62574ae706b46e18443ca4b26ea4b1909def56e0a76f17ebeb83ca66454536d9da2dcba956a29f0d549f794

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f9a191ab03665c0c60fc51787274a7b5

SHA1
f08c1ec990f839f0d22502c0a9a0d06bc265ef0e

SHA256
18261dddb1578e716f0ff19fc6896b5b70a17a1d71000c3e2390a1d8f644d6ee

SHA512
ae5d3a3672ce7bb31f620e2c66d8a537e367aaab690021d575087127d65d91d4aa6db43b03d32233ad1675445c122c078e8433e9c7304536cb54f1bfcd2da131

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b811bf00385428f1a9cadec7c1c72a85

SHA1
6b87e5ba97c0961f38a9827983242306de4dd305

SHA256
93b28d605ec9d8578db08f32066274789d5545c0204927cd1dd55dff9edec473

SHA512
8ec4046abf9f648631e053a35d5ed0c758308abe4bc787764e437a72f2e2d4a35df366d6b91f388a46d0783404fe3d02c7f6f235c9ce6781b82ddcd14eb9cc81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6f6ed03d9eea7931b5cfec944f35daca

SHA1
d50e58dc3c312346f57fa1c57d1096bdf7196fb1

SHA256
52ee1a491d879bd3ad3deda3f6bacdb49b41b7e940fc73fa4966b1bb1b99dc45

SHA512
9d87483b4742efabae79374518bc6d8f26e917aba6bb89150a2c1434c0f029fc05418d2dfb119565f5f9a100906dc231803bf3eed24dd7396b67f527e1ff82a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e65fea1efaea52b7eb5d3d5444572ced

SHA1
56417b615e923784fa13648060f5f6ac8eb241a6

SHA256
a718e3e533ed811ebe5c6a3da1391284bf382158dc965862911cc1944912a28b

SHA512
1061c4ab991e2145c046e0c86d016657b46218f9f78fd44c9d39047b3fc2d19dec62c519c2876568e441d7f0911c0e3eb84e46c78eee0db70eccbcf944d4ae36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
31d91a7f5b1e9a0719804bd472395249

SHA1
2e61be1b05adaa67086653bf985d730ac7b97eda

SHA256
737f3afc1f234fafa00fbfd17ad194a4be15f7c2d91ba7f374e1da50642a4233

SHA512
861cd33ef2b6188817b8fa5cbd4ca29913873eaef92096d59fe3cd2cf159e3c93da7647f21fc9ea0419e9131db71a022e6dac542da452883c1eb2f88c67361b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b774b39aaa11acd087dd8016674ef7ab

SHA1
f211f76ef979a296502eb1aae87cdf03ad1c81aa

SHA256
42abf583241b123d298e6585dd2c91c01de0ee5c67d4688934be5f460fe04957

SHA512
4d01178aee4970cc83ec0df6647af81086e2882d7b68189f559dd98cc8c34ea0e8214e85d7d81b6e9f72f0fefe6055ad77597bd7affa0c5ea59ff8018a2832b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4956b4f9259cb6864fe8cb9efed06f7d

SHA1
eda044379d9a6aeed9a637a7ec05c6c54d580917

SHA256
1c2f7ca53b9b6570cf9b2e3a85d5528cf94469c8adca7642ff594a6338ab3c4d

SHA512
510665a3c6cd30c2417e2b06c012639cee2a9684392a36d8eb833562f5ba1ad27e726d330af8c33495b60dfff53fec22a2b3f4560da5d7a4503e3fb3d0576323

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0123545474d59086e8c4874b9d8b2507

SHA1
187a4f3f7a62de6fbb95be616250917871ecf4b9

SHA256
35c78735590e5b24820d605d4ef3994a0147be7e3d6fe2ea14a503d8440b301c

SHA512
d6f16994039d609052ff7134e72209593fb9ef3fb356f496111fcd611f4095625d9b38b9f6f0ce038ab485ed443b10e3df940605af98945abb4c1f7986e58016

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4e383fe5e5eb206bd5154e233216104

SHA1
49e095856e239c863d1a52d235807889160b1b9e

SHA256
20a75b4698d34c35350b371f5d0e2a2dbcc2c78479d964ac57c76d89f8ca82fb

SHA512
2e3f52ff1b65f9dc210622ae7d0a32533bf2233032ac17b1db461454f17d450b7a8f56f431e2f449ce125d3e39b6db9faf4e8d8f4b758158dfdc6b9d40772e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab86AE.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8F2B.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/484-4-0x0000000000180000-0x0000000000284000-memory.dmp

Filesize
1.0MB

Download
memory/2388-0-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2388-2-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2388-6-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2388-5-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2388-1-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download