modiloader | 3fb969ec5b0437e97927c84fe97c767efd848ef113dc92c66068477e78d79e30

Analysis

max time kernel
134s
max time network
139s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51e44b5c11f51dcc5130b0a9d613746e.exe
Size

237KB
MD5

51e44b5c11f51dcc5130b0a9d613746e
SHA1

0817ee1663d3b6911d56011be7f43e7706824682
SHA256

3fb969ec5b0437e97927c84fe97c767efd848ef113dc92c66068477e78d79e30
SHA512

c2b4c35929dc04740a7eeed74cba08ea622f5ac00f43975844d930395028e9906c3e90fda6fdef66b1221093829a3b13862b89756b4d702d15350ce02f4ec26a
SSDEEP

6144:xhepqwiaX7dofMSncBZSNK0cudVSrHMadEJwxCxV+1LKn7AO5uG:+qw2fUBAEujSQCEqxD1LgAO5uG

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral1/memory/2084-2-0x0000000000400000-0x00000000004CA000-memory.dmp	modiloader_stage2
behavioral1/memory/2084-6-0x0000000000400000-0x00000000004CA000-memory.dmp	modiloader_stage2
behavioral1/memory/2084-29-0x0000000000400000-0x00000000004CA000-memory.dmp	modiloader_stage2
behavioral1/memory/112-20-0x0000000000400000-0x00000000004CA000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
1220	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
112	ddos.exe

Loads dropped DLL 2 IoCs

pid	Process
2084	51e44b5c11f51dcc5130b0a9d613746e.exe
2084	51e44b5c11f51dcc5130b0a9d613746e.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Deleteme.bat	51e44b5c11f51dcc5130b0a9d613746e.exe
File created	C:\Windows\SysWOW64\ddos.exe	51e44b5c11f51dcc5130b0a9d613746e.exe
File opened for modification	C:\Windows\SysWOW64\ddos.exe	51e44b5c11f51dcc5130b0a9d613746e.exe
File opened for modification	C:\Windows\SysWOW64\ddos.exe	ddos.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 112	2084	51e44b5c11f51dcc5130b0a9d613746e.exe	29
PID 2084 wrote to memory of 112	2084	51e44b5c11f51dcc5130b0a9d613746e.exe	29
PID 2084 wrote to memory of 112	2084	51e44b5c11f51dcc5130b0a9d613746e.exe	29
PID 2084 wrote to memory of 112	2084	51e44b5c11f51dcc5130b0a9d613746e.exe	29
PID 2084 wrote to memory of 1220	2084	51e44b5c11f51dcc5130b0a9d613746e.exe	31
PID 2084 wrote to memory of 1220	2084	51e44b5c11f51dcc5130b0a9d613746e.exe	31
PID 2084 wrote to memory of 1220	2084	51e44b5c11f51dcc5130b0a9d613746e.exe	31
PID 2084 wrote to memory of 1220	2084	51e44b5c11f51dcc5130b0a9d613746e.exe	31

C:\Users\Admin\AppData\Local\Temp\51e44b5c11f51dcc5130b0a9d613746e.exe
"C:\Users\Admin\AppData\Local\Temp\51e44b5c11f51dcc5130b0a9d613746e.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\ddos.exe
  C:\Windows\system32\ddos.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  - Deletes itself
  PID:1220

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Deleteme.bat

Filesize
184B

MD5
b1fec9eaddd71222fdb5a96f6a32dd84

SHA1
be1bf5def620e4a0a109ee5a101529c86b11d8f5

SHA256
b4e0719401eee5a5dd34657d62e4e834a70cf55c4c14f65d06ceb72f581dceff

SHA512
8a687d1b9057ddcadf3f79c67e9d0eb6dc84d1baea8c45a47a7490ec9f28b3cf9835dbca832a5a5dfdf092523f8f669d44311bff0aab469249889407e3a99574

Download Submit
\Windows\SysWOW64\ddos.exe

Filesize
237KB

MD5
51e44b5c11f51dcc5130b0a9d613746e

SHA1
0817ee1663d3b6911d56011be7f43e7706824682

SHA256
3fb969ec5b0437e97927c84fe97c767efd848ef113dc92c66068477e78d79e30

SHA512
c2b4c35929dc04740a7eeed74cba08ea622f5ac00f43975844d930395028e9906c3e90fda6fdef66b1221093829a3b13862b89756b4d702d15350ce02f4ec26a

Download Submit
memory/112-18-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/112-16-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/112-21-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/112-20-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/112-31-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2084-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2084-6-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2084-7-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2084-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2084-9-0x0000000002070000-0x000000000213A000-memory.dmp

Filesize
808KB

Download
memory/2084-0-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2084-29-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2084-2-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download