modiloader | e0f492b56cdde36c64daa34406e43e16113e7b7e43952895529dea6b65eacd6b

Analysis

max time kernel
141s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 00:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

BuhtaClient.exe
Size

12.9MB
MD5

c82005128e4de1cad09fbde5fdef3290
SHA1

f4cfb7e40efb4a2a74ef734cb7dc0b70d2348ab4
SHA256

612a2dcda3fcec5e2b4e0ca7c6f99952ef9274a482445c439261597884db5848
SHA512

622d8f81193d57c30ffa12b8f3d4ada6d52d6fe229d2b0a9b6fe79f52dd531ecc25334d2016204e943efe1060267aa323d446b88d783fd4e20b68fbc88af2d13
SSDEEP

196608:tenHQWQw5KP+4OQF51fa51F5zttrD2VmfXooAl2qSzTfv6YbKaqKpIPuS/HCQ:t+D5Kmk1CPz7rqvl2qS3X7ld

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader First Stage 5 IoCs

resource	yara_rule
behavioral3/memory/1140-2-0x0000000000400000-0x0000000002D0B000-memory.dmp	modiloader_stage1
behavioral3/memory/1140-3-0x0000000000400000-0x0000000002D0B000-memory.dmp	modiloader_stage1
behavioral3/memory/1140-4-0x0000000000400000-0x0000000002D0B000-memory.dmp	modiloader_stage1
behavioral3/memory/1140-5-0x0000000000400000-0x0000000002D0B000-memory.dmp	modiloader_stage1
behavioral3/memory/1140-6-0x0000000000400000-0x0000000002D0B000-memory.dmp	modiloader_stage1

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2852	1140	WerFault.exe	23

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88861623-2B95-4BE1-B165-AACA7B43A353}\LocalServer32	BuhtaClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bmProject.EventSupportBMPro\Clsid	BuhtaClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88861623-2B95-4BE1-B165-AACA7B43A353}\ProgID	BuhtaClient.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88861623-2B95-4BE1-B165-AACA7B43A353}\ProgID\ = "bmProject.EventSupportBMPro"	BuhtaClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88861623-2B95-4BE1-B165-AACA7B43A353}\Version	BuhtaClient.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88861623-2B95-4BE1-B165-AACA7B43A353}\Version\ = "1.0"	BuhtaClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88861623-2B95-4BE1-B165-AACA7B43A353}	BuhtaClient.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bmProject.EventSupportBMPro\ = "Ïðîãðàììà ÁÓÕòà 1.0"	BuhtaClient.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bmProject.EventSupportBMPro\Clsid\ = "{88861623-2B95-4BE1-B165-AACA7B43A353}"	BuhtaClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bmProject.EventSupportBMPro	BuhtaClient.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88861623-2B95-4BE1-B165-AACA7B43A353}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BuhtaClient.exe /bmProjectPivotExcelModule"	BuhtaClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88861623-2B95-4BE1-B165-AACA7B43A353}\TypeLib	BuhtaClient.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88861623-2B95-4BE1-B165-AACA7B43A353}\TypeLib\ = "{655F813B-DED0-4053-AB5C-2250F76AB966}"	BuhtaClient.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88861623-2B95-4BE1-B165-AACA7B43A353}\ = "Ïðîãðàììà ÁÓÕòà 1.0"	BuhtaClient.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1140	BuhtaClient.exe
1140	BuhtaClient.exe
1140	BuhtaClient.exe
1140	BuhtaClient.exe
1140	BuhtaClient.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 2664	1140	BuhtaClient.exe	28
PID 1140 wrote to memory of 2664	1140	BuhtaClient.exe	28
PID 1140 wrote to memory of 2664	1140	BuhtaClient.exe	28
PID 1140 wrote to memory of 2664	1140	BuhtaClient.exe	28
PID 1140 wrote to memory of 2852	1140	BuhtaClient.exe	30
PID 1140 wrote to memory of 2852	1140	BuhtaClient.exe	30
PID 1140 wrote to memory of 2852	1140	BuhtaClient.exe	30
PID 1140 wrote to memory of 2852	1140	BuhtaClient.exe	30

C:\Users\Admin\AppData\Local\Temp\BuhtaClient.exe
"C:\Users\Admin\AppData\Local\Temp\BuhtaClient.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 736
  2⤵
  - Program crash
  PID:2852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1140-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1140-2-0x0000000000400000-0x0000000002D0B000-memory.dmp

Filesize
41.0MB

Download
memory/1140-3-0x0000000000400000-0x0000000002D0B000-memory.dmp

Filesize
41.0MB

Download
memory/1140-4-0x0000000000400000-0x0000000002D0B000-memory.dmp

Filesize
41.0MB

Download
memory/1140-5-0x0000000000400000-0x0000000002D0B000-memory.dmp

Filesize
41.0MB

Download
memory/1140-6-0x0000000000400000-0x0000000002D0B000-memory.dmp

Filesize
41.0MB

Download
memory/1140-9-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download