modiloader | 7bf951e39016463135de1fd22808d8f0c3de35bbc53ee501c5b3445abc8a3691

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41384e75eda07c111a9f049ef7c7913a.exe
Size

30KB
MD5

41384e75eda07c111a9f049ef7c7913a
SHA1

ba6fd0e97026b8b9f3d3d46f14d0974a77c31194
SHA256

7bf951e39016463135de1fd22808d8f0c3de35bbc53ee501c5b3445abc8a3691
SHA512

5f1b49b8465b4b26248fd03a14fb33ce2ddca53529ebd0ef0bdd1e86a8b1b952fd5358e6d935bab57b80ac4fc0b24072769662569967b90012755bd0a18e0700
SSDEEP

768:KhGC2uTOMxIEhhG2mE12HXyCNRewmcsuuv:Kh32bMlkE12CCjewmQi

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/2688-1-0x0000000000400000-0x0000000000421000-memory.dmp	modiloader_stage2
behavioral1/memory/2688-0-0x0000000000400000-0x0000000000421000-memory.dmp	modiloader_stage2
behavioral1/memory/2688-3-0x0000000000400000-0x0000000000421000-memory.dmp	modiloader_stage2

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msmsgs = "C:\\Program Files\\Internet Explorer\\explorer.exe"	41384e75eda07c111a9f049ef7c7913a.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\explorer.exe	41384e75eda07c111a9f049ef7c7913a.exe
File opened for modification	C:\Program Files\Internet Explorer\explorer.exe	41384e75eda07c111a9f049ef7c7913a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe
2688	41384e75eda07c111a9f049ef7c7913a.exe

C:\Users\Admin\AppData\Local\Temp\41384e75eda07c111a9f049ef7c7913a.exe
"C:\Users\Admin\AppData\Local\Temp\41384e75eda07c111a9f049ef7c7913a.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2688-1-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2688-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2688-3-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download