modiloader | f4cd37ddc7e2fd3a0cbb20a080d1aa31a311968585177d5f763ed4eead0b0322

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08/01/2024, 22:54

Target

4cab603af94ed3047e42a284a535d415.exe
Size

579KB
MD5

4cab603af94ed3047e42a284a535d415
SHA1

c15c9e26bf6df69162ca4a664809ef76d0562e37
SHA256

f4cd37ddc7e2fd3a0cbb20a080d1aa31a311968585177d5f763ed4eead0b0322
SHA512

e2386acb702ee73b0ed5d5b48dabf7ad13fd9f781b956b24b733d3656a7a95413ca5f020e73afcabe8694c70f18b71ffb352b878381b305fdf178d3f99cfacaf
SSDEEP

12288:GBNqc2sUQvNi2+m0ilhXWjeZKwF3Z4mxxN4IxSo62jDrkAc:GCLsliHeX6eowQmXNsohkr

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2492-13-0x0000000000400000-0x0000000000551000-memory.dmp	modiloader_stage2

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt	4cab603af94ed3047e42a284a535d415.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2184	2492	WerFault.exe	18

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2660	2492	4cab603af94ed3047e42a284a535d415.exe	28
PID 2492 wrote to memory of 2660	2492	4cab603af94ed3047e42a284a535d415.exe	28
PID 2492 wrote to memory of 2660	2492	4cab603af94ed3047e42a284a535d415.exe	28
PID 2492 wrote to memory of 2660	2492	4cab603af94ed3047e42a284a535d415.exe	28
PID 2492 wrote to memory of 2184	2492	4cab603af94ed3047e42a284a535d415.exe	29
PID 2492 wrote to memory of 2184	2492	4cab603af94ed3047e42a284a535d415.exe	29
PID 2492 wrote to memory of 2184	2492	4cab603af94ed3047e42a284a535d415.exe	29
PID 2492 wrote to memory of 2184	2492	4cab603af94ed3047e42a284a535d415.exe	29

C:\Users\Admin\AppData\Local\Temp\4cab603af94ed3047e42a284a535d415.exe
"C:\Users\Admin\AppData\Local\Temp\4cab603af94ed3047e42a284a535d415.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2492
- C:\program files\internet explorer\IEXPLORE.EXE
  "C:\program files\internet explorer\IEXPLORE.EXE"
  2⤵
  PID:2660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 316
  2⤵
  - Program crash
  PID:2184

memory/2492-0-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2492-1-0x0000000000350000-0x00000000003A4000-memory.dmp

Filesize
336KB

Download
memory/2492-10-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2492-9-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2492-8-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2492-7-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2492-6-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2492-5-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2492-4-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2492-3-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2492-2-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2492-11-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/2492-13-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2492-14-0x0000000000350000-0x00000000003A4000-memory.dmp

Filesize
336KB

Download
memory/2492-15-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download