modiloader | 5cf1c028e3aa841f275fa03093c3e877dc5e1119d8e1e8916b43f3574aa005b4

Analysis

max time kernel
131s
max time network
144s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

520b1f650949ea16a462b06385aef99d.exe
Size

488KB
MD5

520b1f650949ea16a462b06385aef99d
SHA1

4e30d11e555d908a7ed00862d692e10f9df537e3
SHA256

5cf1c028e3aa841f275fa03093c3e877dc5e1119d8e1e8916b43f3574aa005b4
SHA512

ebcbf83491b4b1c4d7652a225eb41ae4ccd2228ea3dc8d6e5e474d499f18606f6f5e0d9c25603813b3384fed0f4eee0c31900e11a73d742d58d837d152876197
SSDEEP

12288:4MsLABOwJLkfWF3Z4mxxWBkMy90UHKFz87F0Zq4:VZOwJLxQmXWtE0CgzDZq4

Score

10^/10

modiloader trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/2508-278-0x0000000010410000-0x000000001046D000-memory.dmp	modiloader_stage2
behavioral1/memory/2508-282-0x0000000010410000-0x000000001046D000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2740	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2624	netservice.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2508-278-0x0000000010410000-0x000000001046D000-memory.dmp	upx
behavioral1/memory/2508-282-0x0000000010410000-0x000000001046D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1936	520b1f650949ea16a462b06385aef99d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	netservice.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2740	1936	520b1f650949ea16a462b06385aef99d.exe	29
PID 1936 wrote to memory of 2740	1936	520b1f650949ea16a462b06385aef99d.exe	29
PID 1936 wrote to memory of 2740	1936	520b1f650949ea16a462b06385aef99d.exe	29
PID 1936 wrote to memory of 2740	1936	520b1f650949ea16a462b06385aef99d.exe	29
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31
PID 2624 wrote to memory of 2508	2624	netservice.exe	31

C:\Users\Admin\AppData\Local\Temp\520b1f650949ea16a462b06385aef99d.exe
"C:\Users\Admin\AppData\Local\Temp\520b1f650949ea16a462b06385aef99d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\520b1f650949ea16a462b06385aef99d.exe"
  2⤵
  - Deletes itself
  PID:2740

C:\Users\Admin\Favorites\netservice.exe
C:\Users\Admin\Favorites\netservice.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Favorites\netservice.exe

Filesize
98KB

MD5
2ab5fee467911e5c1c8b7cfb2054d297

SHA1
28e78935de67572fb800f23b7307fe11852b80e4

SHA256
c70e018a61d0e6faed97715fe9e430703a9ed8e3b16a79e4afd83a777658a9e5

SHA512
79db284e4b95aee124e69e1d79f47f064f6b235abaf6ed499f4febf23302c5e5ac82d41c55703cbafd119dadcb6ae17b6aa4dbf4ff83252e0106540a0dd20baa

Download Submit
C:\Users\Admin\Favorites\netservice.exe

Filesize
93KB

MD5
66929a9b1a573d78c2ae5ba093691f96

SHA1
efb7f6118b3321ad62e6afaf00c434bdbc8768e6

SHA256
299e2bfd25445283dc1b4625a1256bf84b75178f6e5b0c573daebc50debc18a7

SHA512
df70094981024c1508f4c7856f5ea1e4445f6876449d608e218af4f194df26bec64c0193318d784c20de09799a2ea95db5ab5d81f0e1ad88b29b9af4f8ff46a7

Download Submit
memory/1936-17-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download
memory/1936-0-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1936-10-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/1936-52-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1936-53-0x0000000001C10000-0x0000000001C64000-memory.dmp

Filesize
336KB

Download
memory/1936-2-0x0000000001BB0000-0x0000000001BB1000-memory.dmp

Filesize
4KB

Download
memory/1936-3-0x0000000001C00000-0x0000000001C01000-memory.dmp

Filesize
4KB

Download
memory/1936-4-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1936-7-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1936-8-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/1936-9-0x0000000001BE0000-0x0000000001BE1000-memory.dmp

Filesize
4KB

Download
memory/1936-29-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/1936-30-0x0000000003190000-0x0000000003192000-memory.dmp

Filesize
8KB

Download
memory/1936-13-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/1936-1-0x0000000001C10000-0x0000000001C64000-memory.dmp

Filesize
336KB

Download
memory/1936-14-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/1936-39-0x0000000001BD0000-0x0000000001BD1000-memory.dmp

Filesize
4KB

Download
memory/1936-15-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1936-16-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/1936-31-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/1936-38-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/1936-37-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1936-36-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/1936-35-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/1936-34-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1936-33-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1936-32-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/1936-12-0x00000000031A0000-0x00000000031A2000-memory.dmp

Filesize
8KB

Download
memory/1936-11-0x0000000001D70000-0x0000000001D71000-memory.dmp

Filesize
4KB

Download
memory/1936-28-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/1936-27-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/1936-26-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/1936-25-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1936-24-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/1936-23-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/1936-22-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1936-21-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download
memory/1936-20-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/1936-19-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/1936-18-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/2508-278-0x0000000010410000-0x000000001046D000-memory.dmp

Filesize
372KB

Download
memory/2508-58-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2508-66-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2508-282-0x0000000010410000-0x000000001046D000-memory.dmp

Filesize
372KB

Download
memory/2624-45-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2624-44-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/2624-281-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/2624-43-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/2624-46-0x0000000003070000-0x0000000003072000-memory.dmp

Filesize
8KB

Download
memory/2624-280-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2624-47-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2624-48-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2624-49-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/2624-50-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/2624-51-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/2624-41-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download