modiloader | 7b9ed8b14141105159a339086596cc103523e615b309e53beb56e68fb82df384

General

Target

71b29326e25cd4536eccf0f66c41b229.exe
Size

1.0MB
MD5

71b29326e25cd4536eccf0f66c41b229
SHA1

10754a00be9726f05671f69d1790a7e797af87ab
SHA256

7b9ed8b14141105159a339086596cc103523e615b309e53beb56e68fb82df384
SHA512

c290be316da8c240aefdbfc447c673473036a5ed3458b2141f06b0e3309faf0a4b4af385fde8aba0970568f618bd0d0bec44264aef6c0914e76f5f101ffec089
SSDEEP

24576:dvVoxa8cIWoSpaBFasuLcdm4RrU9hgauaEZsoVhka20y2o61yMWXQC+aSMysCP4V:ddoxa8cIWoSpaBFasuLcdrrU9hgauaEi

Score

10^/10

modiloader trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/3024-35-0x0000000000400000-0x0000000000512000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
1700	4300_1.exe
2808	4300_1.exe

Loads dropped DLL 3 IoCs

pid	Process
3024	71b29326e25cd4536eccf0f66c41b229.exe
3024	71b29326e25cd4536eccf0f66c41b229.exe
1700	4300_1.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000012252-2.dat	upx
behavioral1/memory/1700-12-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1700-31-0x0000000000400000-0x000000000041A000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1700 set thread context of 2808	1700	4300_1.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2808	4300_1.exe
2808	4300_1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2696	DllHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1700	4300_1.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 1700	3024	71b29326e25cd4536eccf0f66c41b229.exe	28
PID 3024 wrote to memory of 1700	3024	71b29326e25cd4536eccf0f66c41b229.exe	28
PID 3024 wrote to memory of 1700	3024	71b29326e25cd4536eccf0f66c41b229.exe	28
PID 3024 wrote to memory of 1700	3024	71b29326e25cd4536eccf0f66c41b229.exe	28
PID 1700 wrote to memory of 2808	1700	4300_1.exe	29
PID 1700 wrote to memory of 2808	1700	4300_1.exe	29
PID 1700 wrote to memory of 2808	1700	4300_1.exe	29
PID 1700 wrote to memory of 2808	1700	4300_1.exe	29
PID 1700 wrote to memory of 2808	1700	4300_1.exe	29
PID 1700 wrote to memory of 2808	1700	4300_1.exe	29
PID 1700 wrote to memory of 2808	1700	4300_1.exe	29
PID 1700 wrote to memory of 2808	1700	4300_1.exe	29
PID 2808 wrote to memory of 1284	2808	4300_1.exe	15
PID 2808 wrote to memory of 1284	2808	4300_1.exe	15
PID 2808 wrote to memory of 1284	2808	4300_1.exe	15
PID 2808 wrote to memory of 1284	2808	4300_1.exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284
- C:\Users\Admin\AppData\Local\Temp\71b29326e25cd4536eccf0f66c41b229.exe
  "C:\Users\Admin\AppData\Local\Temp\71b29326e25cd4536eccf0f66c41b229.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\4300_1.exe
    "C:\Users\Admin\AppData\Local\Temp\4300_1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\4300_1.exe
      C:\Users\Admin\AppData\Local\Temp\4300_1.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2808

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fffuntitled.bmp

Filesize
998KB

MD5
58456ce8c188ec2c66c488f5f21e7e4f

SHA1
757b7838b29d23ab5e1d00ff513527f51224cd6e

SHA256
451009a3c6d006a5108cfef35a0db0bfe7a302f3c24814f55295945b7946b552

SHA512
54e8d345ef8e2baf88c13849cd8bfae972ac2b9ecf189e3c22b4be786636528ed8c7f49e65516ea2141e097c5caec6d04f37938afc58e52e11f7867af6380098

Download Submit
\Users\Admin\AppData\Local\Temp\4300_1.exe

Filesize
56KB

MD5
f675d5cd6440557c1468544f7ef88298

SHA1
a71b3c7a8bc4dd41773e93758f34e9b974e1d475

SHA256
87aa72f7daf03411bef423c089496e95b7ee54737413b84c666f0c7920932fb6

SHA512
f3798fa2b2274063bcfaf16c7a8881e33320faa75a1e2d16b835e0ccfde65182d89b63b047384f4942212132584f349a2c1f80de347a7439805ce81c111616d5

Download Submit
memory/1284-42-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1284-39-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1700-31-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1700-19-0x0000000000390000-0x00000000003AA000-memory.dmp

Filesize
104KB

Download
memory/1700-12-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2696-53-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2696-36-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2696-34-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/2808-30-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2808-38-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2808-17-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2808-32-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2808-20-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2808-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2808-52-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2808-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2808-22-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2808-51-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2808-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3024-9-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/3024-11-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/3024-35-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/3024-33-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing