modiloader | 9fc381cfdae2b1cf1c60fd9556cdba5e729f234da8836f2f00dffdeae4148c03

Analysis

max time kernel
142s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74eb0a978cf707fc2a3c33edec9f1f79.exe
Size

652KB
MD5

74eb0a978cf707fc2a3c33edec9f1f79
SHA1

27c0b24d1eb776b7536727bf6ed66b0414178f5c
SHA256

9fc381cfdae2b1cf1c60fd9556cdba5e729f234da8836f2f00dffdeae4148c03
SHA512

aac7845313be9f4ca802ed9682eec6e29d15733334df2f3d58ad1b0aafe3cfb616acdfa6990dc4ab46d04480a94a33eccb761a98255d00fa43e172100678880a
SSDEEP

12288:Te6g5JKP/Ic71V0ao0WADIyJjcSoF3Z4mxxPALW3mZxMZtk:a6g5MPl3Xlc9QmXPAi3qxMZt

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2032-126-0x0000000000400000-0x00000000005D5000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-127-0x0000000000400000-0x00000000005D5000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-147-0x0000000000400000-0x00000000005D5000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

KAV2007.exe

pid process

2692 KAV2007.exe
Loads dropped DLL 5 IoCs

Processes:

74eb0a978cf707fc2a3c33edec9f1f79.exeWerFault.exe

pid process

2032 74eb0a978cf707fc2a3c33edec9f1f79.exe
2032 74eb0a978cf707fc2a3c33edec9f1f79.exe
1980 WerFault.exe
1980 WerFault.exe
1980 WerFault.exe

pid	process
2692	KAV2007.exe

pid	process
2032	74eb0a978cf707fc2a3c33edec9f1f79.exe
2032	74eb0a978cf707fc2a3c33edec9f1f79.exe
1980	WerFault.exe
1980	WerFault.exe
1980	WerFault.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

74eb0a978cf707fc2a3c33edec9f1f79.exe

description	ioc	process
File opened (read-only)	\??\Q:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\X:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\A:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\I:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\L:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\S:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\Y:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\Z:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\B:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\K:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\P:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\T:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\V:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\H:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\N:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\O:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\M:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\R:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\U:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\W:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\E:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\G:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\J:	74eb0a978cf707fc2a3c33edec9f1f79.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

74eb0a978cf707fc2a3c33edec9f1f79.exe

description	ioc	process
File created	F:\AutoRun.inf	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened for modification	F:\AutoRun.inf	74eb0a978cf707fc2a3c33edec9f1f79.exe
File created	C:\AutoRun.inf	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened for modification	C:\AutoRun.inf	74eb0a978cf707fc2a3c33edec9f1f79.exe

Drops file in System32 directory 2 IoCs

Processes:

KAV2007.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\_KAV2007.exe KAV2007.exe
File created C:\Windows\SysWOW64\_KAV2007.exe KAV2007.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\_KAV2007.exe	KAV2007.exe
File created	C:\Windows\SysWOW64\_KAV2007.exe	KAV2007.exe

Drops file in Program Files directory 2 IoCs

Processes:

74eb0a978cf707fc2a3c33edec9f1f79.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe	74eb0a978cf707fc2a3c33edec9f1f79.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1980 2692 WerFault.exe KAV2007.exe

pid	pid_target	process	target process
1980	2692	WerFault.exe	KAV2007.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

74eb0a978cf707fc2a3c33edec9f1f79.exeKAV2007.exe

description	pid	process	target process
PID 2032 wrote to memory of 2692	2032	74eb0a978cf707fc2a3c33edec9f1f79.exe	KAV2007.exe
PID 2032 wrote to memory of 2692	2032	74eb0a978cf707fc2a3c33edec9f1f79.exe	KAV2007.exe
PID 2032 wrote to memory of 2692	2032	74eb0a978cf707fc2a3c33edec9f1f79.exe	KAV2007.exe
PID 2032 wrote to memory of 2692	2032	74eb0a978cf707fc2a3c33edec9f1f79.exe	KAV2007.exe
PID 2692 wrote to memory of 1980	2692	KAV2007.exe	WerFault.exe
PID 2692 wrote to memory of 1980	2692	KAV2007.exe	WerFault.exe
PID 2692 wrote to memory of 1980	2692	KAV2007.exe	WerFault.exe
PID 2692 wrote to memory of 1980	2692	KAV2007.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\74eb0a978cf707fc2a3c33edec9f1f79.exe
"C:\Users\Admin\AppData\Local\Temp\74eb0a978cf707fc2a3c33edec9f1f79.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2032

C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 304
3⤵
- Loads dropped DLL
- Program crash
PID:1980

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe
Filesize
44KB

MD5
f10063b31123b9f2269f0bfd4fea9306

SHA1
0f5fc73f63d6f4c13226171024f7cbfa931de7a5

SHA256
84effeaa3504cc50d599ff6e9dc7842bca1d7905775b021c8fa38c5f6f73be21

SHA512
6443e41a27198054cd03aaeddeb5e289975c8cff21c3d8e1e4f233df65524b5759113495ec3cb514118c3f30fe4efcd58dc29f57f8494ed9b25368a7f7e3805d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\KAV2007.exe
Filesize
111KB

MD5
4bf6ec6b0e43d98c635212e57eae22df

SHA1
2ced4a5295423d6c691be21537c3a08e6fac49c4

SHA256
c9c2a8eb9ee9a5bcbdfa1547c01c4d65b3723b58c4d80e3adb385bc446462e6a

SHA512
db58d7b89e9418f9a90e7c5e6d8d1b1822f0cbb6fcc18f0fc5986029aed5352d785e52f8ba612a24fdfeb7830d98305ddc2bc381f534d911c4bd3e020deb93d2

Download Submit
F:\KAV2007.exe
Filesize
218KB

MD5
996f10e82d00993850eeba171d8889c6

SHA1
047c443c2fc9f51c695d1758378ba805b116678f

SHA256
83653ca940f7613bab7e378c1751ca95e75070b7725b73a1c50ac5e7648cb118

SHA512
2ecc9b97226e044e893bafefd574be5305be0caa92d493cd2169c4fea2cf411869d4cd4115a73f94784e15bc304964b369b0acc1cafa60ea443f8564811446cc

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\KAV2007.exe
Filesize
64KB

MD5
3f005fbbf5bac7c82599aea54dc1f10c

SHA1
a212e9197ad5509755811a42fd0ba52a96403e3b

SHA256
ff9b9e34bba8de20cb650763d759e5126928ec19d66a5c5d470b3d031f5f61a2

SHA512
a064291f4358819cba78c528a35f91cccf50cf6d8a94ff0ef9fa2a1b8028db2b3442cc0f8182cddaca33a4fc0296778538780bb21e61c22258fd77d49af32217

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\KAV2007.exe
Filesize
31KB

MD5
ab37045473783c5178d7989bfc429cdc

SHA1
3395cd081c061e59fd32ac4360a78594472ed4d1

SHA256
aa9fbc2e1dd9cedc5bca305b6df1b675f0821f76f23812804c666fb74117b1b5

SHA512
949823724a99e3716ed17ed08839394a209f4989527b636e7b60625e857757e6e490ed609f79a47145056fd1d1848cd049437b868d063906b8f864abcefbf469

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\KAV2007.exe
Filesize
60KB

MD5
eca13910c1909b0127343e0acfadfc24

SHA1
6005d3bb400c446d209894944ee50da3e8ee2800

SHA256
70866666edffd52a4eb3e9f59846685724cf0b8ddc80757f0fbb6aa2baa6fcc0

SHA512
39d336aaf37761d6bbf0df3c7b1c52499a4172afd230a01992dd027fd6ca85ec73c95bebb98fa7314e5ef80b6d1ced7c2864d8b821f6bee9251ddfe2b13875e8

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\KAV2007.exe
Filesize
35KB

MD5
1847ceae3a4b640a25a4821c71a16b00

SHA1
ad6bccc49dcaf5e55945811d6073cd973dd86154

SHA256
e91506c70026b8f8388a96f8fcd8e8ddae06d18c91aeb41f159f2387755edf62

SHA512
c30cc8b6138f82165d672f4deeb9934ab86f20d9842bbe3fc874f39ca3ffa897ad7755be917dfa1bc07b50ae20c915bb405d443a4522e43db39c596dba312f71

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\KAV2007.exe
Filesize
1KB

MD5
52dc6bb8760d315c9a143c8ae14cae1c

SHA1
46fde2eed0192e88da0ff2cbc0bb2df07e6d90f4

SHA256
a0d501d16194992ae995fcf2639e35dc13a5109978f5a35cf8f27f7777b7d68b

SHA512
aa60e27652d5b9f8d9ac832164a43f418943abad44f23c76090587922c845136e5dabd98c96004d478554880414c7043d92d903c3d816dfa6242c45e13203cc8

Download Submit
memory/2032-69-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-43-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-7-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2032-6-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/2032-23-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-22-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-21-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-0-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2032-25-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-26-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-28-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-27-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-33-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-67-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-44-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-47-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-48-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-66-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-56-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-59-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-60-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-61-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-65-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-64-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-73-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-72-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-71-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-70-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-8-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2032-68-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-9-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/2032-1-0x00000000008D0000-0x0000000000924000-memory.dmp

Filesize
336KB

Download
memory/2032-24-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-10-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-50-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-63-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-62-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-58-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-57-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-55-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-54-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-53-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-52-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-51-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-49-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-46-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-45-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-42-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-41-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-40-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-39-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-38-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-37-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-36-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-35-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-34-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-32-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-31-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-30-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-29-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2032-5-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/2032-4-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/2032-3-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/2032-2-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/2032-126-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2032-147-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2692-127-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads