modiloader | 134a0c288f08cb49f7748de5f9a825117c52a66f6c3d17452e2a771c5c11d806

Analysis

max time kernel
58s
max time network
147s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5757d5ec03e99b277a43c48e87ebe048.exe
Size

331KB
MD5

5757d5ec03e99b277a43c48e87ebe048
SHA1

7bf820845a432e67211624403768247700dd5e85
SHA256

134a0c288f08cb49f7748de5f9a825117c52a66f6c3d17452e2a771c5c11d806
SHA512

8aff3b4c32d78140a7b16a2e96af71a4b2d188cdd6b6424f9cfd15d45874ebb3b70c497872cf5755a9a6ba723927fce20bd3eb266bddda088a3d0fe5f4befe4c
SSDEEP

6144:aXlo65DDwUIvE4XZr0tELTS9EF4Sn4R5ZifT48keatK6ROt7Zhdelq2Acrc:ODwUuEk/SA4wsy48ke4RO+lq7crc

Score

10^/10

modiloader evasion trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 10 IoCs

resource	yara_rule
behavioral1/memory/2524-11-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/2524-10-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/2524-9-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/2524-8-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/2524-20-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/1628-49-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/1628-42-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/1628-41-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/1628-40-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/1628-60-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5757d5ec03e99b277a43c48e87ebe048.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2760 set thread context of 2524	2760	5757d5ec03e99b277a43c48e87ebe048.exe	30

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	5757d5ec03e99b277a43c48e87ebe048.exe
Token: SeBackupPrivilege	2856	vssvc.exe
Token: SeRestorePrivilege	2856	vssvc.exe
Token: SeAuditPrivilege	2856	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2524	2760	5757d5ec03e99b277a43c48e87ebe048.exe	30
PID 2760 wrote to memory of 2524	2760	5757d5ec03e99b277a43c48e87ebe048.exe	30
PID 2760 wrote to memory of 2524	2760	5757d5ec03e99b277a43c48e87ebe048.exe	30
PID 2760 wrote to memory of 2524	2760	5757d5ec03e99b277a43c48e87ebe048.exe	30
PID 2760 wrote to memory of 2524	2760	5757d5ec03e99b277a43c48e87ebe048.exe	30
PID 2760 wrote to memory of 2524	2760	5757d5ec03e99b277a43c48e87ebe048.exe	30

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5757d5ec03e99b277a43c48e87ebe048.exe
"C:\Users\Admin\AppData\Local\Temp\5757d5ec03e99b277a43c48e87ebe048.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\5757d5ec03e99b277a43c48e87ebe048.exe
  C:\Users\Admin\AppData\Local\Temp\5757d5ec03e99b277a43c48e87ebe048.exe
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- - C:\Windows\mstwain32.exe
    "C:\Windows\mstwain32.exe"
    3⤵
    PID:556
  - - C:\Windows\mstwain32.exe
      C:\Windows\mstwain32.exe
      4⤵
      PID:1628

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\cmsetac.dll

Filesize
33KB

MD5
fd9ef34d0769f24cce3f3243431650e2

SHA1
a729396511ec2ece5d421ed93f3f89a067cd998c

SHA256
c3af58121b840881e6f55e0ef0591dbad1548801c4a0ef34f50e90d54cfc72ab

SHA512
88ecf37e4502acf68da2131f78438e7bc09b14a3e30a5eab22c31eb58c1b57be39a8a81f7677f5559a753737281865bfcba2c97c3ba0532ebaf3cffb700b65bc

Download Submit
C:\Windows\mstwain32.exe

Filesize
92KB

MD5
7ace51855fe5e514d99c7e81f68f44eb

SHA1
fec4f4fee641991716a619825ef31a45522f5de5

SHA256
4bff8d80423bc6e34a2b0921544b35916aeeeef6cc91a9dc5e353a03a9b1286a

SHA512
8ca1637b36249d7caadf4d5266ec0535ca5ae182fc6cc6fadcf2b7f9573bce31e087e03d1a27065029ffd7b8a48dee6173eda4e007104e944e6b249645c09177

Download Submit
C:\Windows\mstwain32.exe

Filesize
16KB

MD5
46154a1df20f5c910a9d590c06f4a693

SHA1
c3712e13e2f509ea35adcd8f7c5a43a2ccb77666

SHA256
1258fd8ecf5d386525d5ba50f9a96f06bd828aa44e1ee3d4c3fa2dd89a49591b

SHA512
718d933a26e6b932fe5033dbf968b035885dfbbc6a5568921fd37cee9d65086d5708c421375d74a4d5d03c5967e67b7ebe32261ba50f1baacc6d51bedc3709fb

Download Submit
memory/556-66-0x00000000771A0000-0x0000000077290000-memory.dmp

Filesize
960KB

Download
memory/556-55-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/556-62-0x0000000010000000-0x000000001005E000-memory.dmp

Filesize
376KB

Download
memory/556-58-0x0000000077950000-0x00000000779D3000-memory.dmp

Filesize
524KB

Download
memory/556-59-0x0000000075670000-0x0000000075683000-memory.dmp

Filesize
76KB

Download
memory/556-57-0x0000000010000000-0x000000001005E000-memory.dmp

Filesize
376KB

Download
memory/556-65-0x0000000075670000-0x0000000075683000-memory.dmp

Filesize
76KB

Download
memory/556-31-0x0000000010000000-0x000000001005E000-memory.dmp

Filesize
376KB

Download
memory/556-64-0x0000000077950000-0x00000000779D3000-memory.dmp

Filesize
524KB

Download
memory/556-63-0x0000000010000000-0x000000001005E000-memory.dmp

Filesize
376KB

Download
memory/556-23-0x0000000010000000-0x000000001005E000-memory.dmp

Filesize
376KB

Download
memory/556-25-0x0000000010000000-0x000000001005E000-memory.dmp

Filesize
376KB

Download
memory/556-26-0x0000000010000000-0x000000001005E000-memory.dmp

Filesize
376KB

Download
memory/556-29-0x0000000010000000-0x000000001005E000-memory.dmp

Filesize
376KB

Download
memory/1628-49-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1628-67-0x00000000771A0000-0x0000000077290000-memory.dmp

Filesize
960KB

Download
memory/1628-51-0x00000000754D0000-0x00000000754E4000-memory.dmp

Filesize
80KB

Download
memory/1628-52-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1628-50-0x00000000771A0000-0x0000000077290000-memory.dmp

Filesize
960KB

Download
memory/1628-60-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1628-47-0x0000000001E30000-0x0000000001E3E000-memory.dmp

Filesize
56KB

Download
memory/1628-46-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1628-42-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1628-41-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1628-40-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2524-11-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2524-5-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2524-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2524-8-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2524-9-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2524-10-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2524-20-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2760-21-0x0000000010000000-0x000000001005E000-memory.dmp

Filesize
376KB

Download
memory/2760-0-0x0000000010000000-0x000000001005E000-memory.dmp

Filesize
376KB

Download
memory/2760-4-0x0000000010000000-0x000000001005E000-memory.dmp

Filesize
376KB

Download
memory/2760-3-0x0000000010000000-0x000000001005E000-memory.dmp

Filesize
376KB

Download
memory/2760-2-0x0000000010000000-0x000000001005E000-memory.dmp

Filesize
376KB

Download
memory/2760-1-0x0000000010000000-0x000000001005E000-memory.dmp

Filesize
376KB

Download
memory/2760-68-0x0000000000270000-0x000000000027E000-memory.dmp

Filesize
56KB

Download
memory/2760-71-0x0000000075670000-0x0000000075683000-memory.dmp

Filesize
76KB

Download
memory/2760-70-0x0000000077950000-0x00000000779D3000-memory.dmp

Filesize
524KB

Download