modiloader | 5d589f59393d4ef3747eee4ed8825aa83cbae246e1b5521be6fb884011f12e82

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 22:23

Target

54bdc2ee50df12c04692d2ae1bb9fe97.exe
Size

57KB
MD5

54bdc2ee50df12c04692d2ae1bb9fe97
SHA1

5348beb29570f898a35c64b5811334fd8b0e8b88
SHA256

5d589f59393d4ef3747eee4ed8825aa83cbae246e1b5521be6fb884011f12e82
SHA512

41552b8d3ee2913df4adfbfebcec746b4b9cfc7d0bd7d6722334c3090d7ce15a18d9d6f274cccc01e84bc26a82380a69d2e5810b235d212fb0007565ce5dbeb5
SSDEEP

1536:Xm7wjsVTJ+p3JrkGLawHE/E2j+EHwnOE1/o88t/T/lBvA:c+sVT45mn/bjnWo8sTNBo

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral2/memory/3948-3-0x0000000000400000-0x000000000041F000-memory.dmp	modiloader_stage2
behavioral2/files/0x000400000001e96f-5.dat	modiloader_stage2
behavioral2/memory/3948-2-0x0000000000400000-0x000000000041F000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2408	temp.exe
3464	tcpip.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tcpip.exe	temp.exe
File opened for modification	C:\Windows\SysWOW64\tcpip.exe	temp.exe
File created	C:\Windows\SysWOW64\mmmmmmmm.bat	temp.exe
File created	C:\Windows\SysWOW64\msiupdata.dll	tcpip.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	temp.exe
Token: SeDebugPrivilege	3464	tcpip.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 3376	3948	54bdc2ee50df12c04692d2ae1bb9fe97.exe	23
PID 3948 wrote to memory of 3376	3948	54bdc2ee50df12c04692d2ae1bb9fe97.exe	23
PID 3948 wrote to memory of 3376	3948	54bdc2ee50df12c04692d2ae1bb9fe97.exe	23
PID 3376 wrote to memory of 2408	3376	cmd.exe	21
PID 3376 wrote to memory of 2408	3376	cmd.exe	21
PID 3376 wrote to memory of 2408	3376	cmd.exe	21
PID 2408 wrote to memory of 2772	2408	temp.exe	19
PID 2408 wrote to memory of 2772	2408	temp.exe	19
PID 2408 wrote to memory of 2772	2408	temp.exe	19
PID 3464 wrote to memory of 3424	3464	tcpip.exe	54

C:\Users\Admin\AppData\Local\Temp\54bdc2ee50df12c04692d2ae1bb9fe97.exe
"C:\Users\Admin\AppData\Local\Temp\54bdc2ee50df12c04692d2ae1bb9fe97.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\temp.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\mmmmmmmm.bat
1⤵
PID:2772

C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
43KB

MD5
a24bcc56a5262901bfdd1f5dee46f610

SHA1
d091f4db4285726a1fd853992a3e480b959f80f8

SHA256
173eb64828e1c38a452906d6294840e5fd37311aeea18adcfdac8e84d11557c8

SHA512
42db2e15047ddc849dbd19ca10a41d097e6a2acb299497c06c85d76125046704dd5e65b3f7221459900a4510230792c4b39219562a11a5a6ead56d297f0c58cb

Download Submit
memory/3948-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3948-3-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3948-2-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download