modiloader | bab4e004442b7727df2c058332637eb38e304188e28404ef41bff76a38058a05

Analysis

max time kernel
143s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53a487d0b2a957b3d38c2bbf3ff69507.exe
Size

673KB
MD5

53a487d0b2a957b3d38c2bbf3ff69507
SHA1

a6951a5709033f5c40b12d16bf612caec6515547
SHA256

bab4e004442b7727df2c058332637eb38e304188e28404ef41bff76a38058a05
SHA512

b814df0477e997fdd40b4b928d54eac5cdbeb771f79b28625cccf3859ef283ee364d9b2ade79aafb3565f06616b055e6d0072a99aefc0a57e937329367278d87
SSDEEP

12288:zPoxrl2z1tvDfsTnJVs0CTSUfRVosLF/HF3Z4mxx6DqVTVOCSdp:b2szTDGJ4TSvsLFQmXBVTzSdp

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 10 IoCs

resource	yara_rule
behavioral1/files/0x000c000000016764-6.dat	modiloader_stage2
behavioral1/files/0x000c000000016764-14.dat	modiloader_stage2
behavioral1/files/0x002f000000016cb4-36.dat	modiloader_stage2
behavioral1/files/0x002f000000016cb4-37.dat	modiloader_stage2
behavioral1/files/0x002f000000016cb4-35.dat	modiloader_stage2
behavioral1/memory/2708-32-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral1/files/0x002f000000016cb4-24.dat	modiloader_stage2
behavioral1/memory/2380-39-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2336-40-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2380-55-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2380	a.exe
2336	Windows.exe

Loads dropped DLL 9 IoCs

pid	Process
2180	53a487d0b2a957b3d38c2bbf3ff69507.exe
2180	53a487d0b2a957b3d38c2bbf3ff69507.exe
2380	a.exe
2380	a.exe
2380	a.exe
2336	Windows.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	53a487d0b2a957b3d38c2bbf3ff69507.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_Windows.exe	Windows.exe
File opened for modification	C:\Windows\SysWOW64\_Windows.exe	Windows.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2336 set thread context of 2708	2336	Windows.exe	31

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Windows.exe	a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Windows.exe	a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SxDel.bat	a.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2852	2336	WerFault.exe	29

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2380	2180	53a487d0b2a957b3d38c2bbf3ff69507.exe	28
PID 2180 wrote to memory of 2380	2180	53a487d0b2a957b3d38c2bbf3ff69507.exe	28
PID 2180 wrote to memory of 2380	2180	53a487d0b2a957b3d38c2bbf3ff69507.exe	28
PID 2180 wrote to memory of 2380	2180	53a487d0b2a957b3d38c2bbf3ff69507.exe	28
PID 2180 wrote to memory of 2380	2180	53a487d0b2a957b3d38c2bbf3ff69507.exe	28
PID 2180 wrote to memory of 2380	2180	53a487d0b2a957b3d38c2bbf3ff69507.exe	28
PID 2180 wrote to memory of 2380	2180	53a487d0b2a957b3d38c2bbf3ff69507.exe	28
PID 2380 wrote to memory of 2336	2380	a.exe	29
PID 2380 wrote to memory of 2336	2380	a.exe	29
PID 2380 wrote to memory of 2336	2380	a.exe	29
PID 2380 wrote to memory of 2336	2380	a.exe	29
PID 2380 wrote to memory of 2336	2380	a.exe	29
PID 2380 wrote to memory of 2336	2380	a.exe	29
PID 2380 wrote to memory of 2336	2380	a.exe	29
PID 2336 wrote to memory of 2708	2336	Windows.exe	31
PID 2336 wrote to memory of 2708	2336	Windows.exe	31
PID 2336 wrote to memory of 2708	2336	Windows.exe	31
PID 2336 wrote to memory of 2708	2336	Windows.exe	31
PID 2336 wrote to memory of 2708	2336	Windows.exe	31
PID 2336 wrote to memory of 2708	2336	Windows.exe	31
PID 2336 wrote to memory of 2708	2336	Windows.exe	31
PID 2336 wrote to memory of 2708	2336	Windows.exe	31
PID 2336 wrote to memory of 2708	2336	Windows.exe	31
PID 2336 wrote to memory of 2852	2336	Windows.exe	30
PID 2336 wrote to memory of 2852	2336	Windows.exe	30
PID 2336 wrote to memory of 2852	2336	Windows.exe	30
PID 2336 wrote to memory of 2852	2336	Windows.exe	30
PID 2336 wrote to memory of 2852	2336	Windows.exe	30
PID 2336 wrote to memory of 2852	2336	Windows.exe	30
PID 2336 wrote to memory of 2852	2336	Windows.exe	30
PID 2380 wrote to memory of 2768	2380	a.exe	32
PID 2380 wrote to memory of 2768	2380	a.exe	32
PID 2380 wrote to memory of 2768	2380	a.exe	32
PID 2380 wrote to memory of 2768	2380	a.exe	32
PID 2380 wrote to memory of 2768	2380	a.exe	32
PID 2380 wrote to memory of 2768	2380	a.exe	32
PID 2380 wrote to memory of 2768	2380	a.exe	32

C:\Users\Admin\AppData\Local\Temp\53a487d0b2a957b3d38c2bbf3ff69507.exe
"C:\Users\Admin\AppData\Local\Temp\53a487d0b2a957b3d38c2bbf3ff69507.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Program Files\Common Files\Microsoft Shared\MSINFO\Windows.exe
    "C:\Program Files\Common Files\Microsoft Shared\MSINFO\Windows.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 340
      4⤵
      Loads dropped DLL
      Program crash
      PID:2852
  - - C:\Windows\SysWOW64\calc.exe
      "C:\Windows\system32\calc.exe"
      4⤵
      PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SxDel.bat""
    3⤵
    PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\Windows.exe

Filesize
382KB

MD5
bb16af13ad72aae73eb5547250eea9ec

SHA1
8d5a8076e0c5e79a36fc0b7d0fc3ba998aaf26bc

SHA256
a804b9e54d85ae83eb3111ac4daacff4d496741f495d30aee34f9df6339712fb

SHA512
05bfaf61aa6626e3a2c57cb835155e446e1472d4059ef19e606d7a83d8513b244b3d27b338ff267b1f3c880c1bcd48f55cb1a9a22fa5634588fc2bd39ef53261

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\SxDel.bat

Filesize
144B

MD5
f5b4598473463ff817bbe839300f9d3f

SHA1
ed82f12e92c5ab9f566c4f67b2605339c3a1c687

SHA256
4f0fad33f337ac22085a49f8b55754b5ca611867832a51688423627f9948b2f8

SHA512
1777d232406752caa9bfc2f3682c0a81789153f7503ce6151b023df79a11303721851f8633b36475aba3dca335c40c286cc611573849bfc8bd185367bc6b7a24

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\Windows.exe

Filesize
93KB

MD5
9d08162983171a3e4895d2398a057178

SHA1
838a76a811f92fc6af81155e33ab59fd601faa92

SHA256
3134f30923a70a2b0e7dece7b5d3b448afe4e422b890f8233914145cf52705dd

SHA512
4e674fa6d99614b364f53fd28ecbb68b8d8f198c1554d939c4417cd360d5e6d8bea08b1c1139de27f1e9b55ba1547ef02e494cd6bbf39ba6dbae37499bac8200

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\Windows.exe

Filesize
381KB

MD5
f47c9ddcbd6b2e17d7551e622c0a9f4a

SHA1
d781d4f3b597016a39cc2b4b7f09d1801d42c5c6

SHA256
bd50162058f24c5d13ee5bef1b386e448b5c4d931780efb13ab80c2cee63002c

SHA512
1b43d0e542f6edd73116abe59c507421f789af2b899e0031525a6c485e3e7d8e91a46184d80c6befa641c389c396124f00e5001e8906e8c118bf23a8425193e5

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\Windows.exe

Filesize
98KB

MD5
051e17173bf6a3cecdd6155ff2ffd417

SHA1
6fee19c016d2a8bafc2bb328bc700ee69695baa4

SHA256
71837faa16b85ca30b50e1d52ad5c701f4687673d631ddbf1fff595fd076268e

SHA512
6170fe899f4e01b27277b257ae19a45b8dd234d3d366b64c4419b5433995f82edb110300d1e775fb855b8fe1bddd6a620509bf6b893854fe4937856f32efc0cd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\a.exe

Filesize
231KB

MD5
6a69d738b7089456b0a740ee6583c64f

SHA1
0b6e90b209b8c3b0b090e82d46388d2570a8ea08

SHA256
e0a38cbe3c405977dca293cace7103b36a2b2c04060fc1fcf6426c3633018e10

SHA512
b09bdfc039ea3e345b288139faa0d21f5e95ec0f8fb743864ad438c16d5fa956634d6d2dabafcd05b32e14ba26b07aa85deac6c3c4bd9aff8f685837deec22ac

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\a.exe

Filesize
742KB

MD5
f09b9cde104a81007e6107bd17687249

SHA1
5dbd8a3645d200e14ff187f9d54256cddbf5d0dd

SHA256
6b1df323cb7d13f461f7ddf5ba5b91c1c19eecceab0dcc617c0fc0fad9eb5714

SHA512
f675600f84b0b66a898d5104bca4479dddad4775c1979745db45fbff91884bd874e681143b02fedb568f614370d816be63f60486c5eac19517bb40f9bd48dd68

Download Submit
memory/2180-41-0x0000000000790000-0x0000000000844000-memory.dmp

Filesize
720KB

Download
memory/2180-3-0x0000000003650000-0x0000000003653000-memory.dmp

Filesize
12KB

Download
memory/2180-57-0x00000000006A0000-0x00000000006F4000-memory.dmp

Filesize
336KB

Download
memory/2180-56-0x0000000001000000-0x00000000010B4000-memory.dmp

Filesize
720KB

Download
memory/2180-1-0x00000000006A0000-0x00000000006F4000-memory.dmp

Filesize
336KB

Download
memory/2180-42-0x00000000006A0000-0x00000000006F4000-memory.dmp

Filesize
336KB

Download
memory/2180-2-0x0000000001000000-0x00000000010B4000-memory.dmp

Filesize
720KB

Download
memory/2180-38-0x0000000001000000-0x00000000010B4000-memory.dmp

Filesize
720KB

Download
memory/2180-0-0x0000000001000000-0x00000000010B4000-memory.dmp

Filesize
720KB

Download
memory/2336-40-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2380-39-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2380-55-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2708-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2708-30-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2708-32-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads