Malware Analysis Report

2025-08-05 14:32

Sample ID 240203-wd8sxahdal
Target 8cf591136fec7bd474a84c232e01155a
SHA256 791e84d0017b4fabe903ae49cf3379bfd333c23d927b402d85e9d9bd669ba52f
Tags
modiloader bootkit evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

791e84d0017b4fabe903ae49cf3379bfd333c23d927b402d85e9d9bd669ba52f

Threat Level: Known bad

The file 8cf591136fec7bd474a84c232e01155a was found to be: Known bad.

Malicious Activity Summary

modiloader bootkit evasion persistence trojan

ModiLoader, DBatLoader

Modifies visiblity of hidden/system files in Explorer

ModiLoader Second Stage

Loads dropped DLL

Deletes itself

Executes dropped EXE

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Enumerates processes with tasklist

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-03 17:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-03 17:49

Reported

2024-02-03 17:52

Platform

win7-20231215-en

Max time kernel

33s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\vxwom.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe N/A
N/A N/A C:\Users\Admin\cod.exe N/A
N/A N/A C:\Users\Admin\cof.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\vxwom.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\vxwom = "C:\\Users\\Admin\\vxwom.exe /j" C:\Users\Admin\vxwom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Msojukemuguxav = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\mfwutese.dll\",Startup" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\vxwom = "C:\\Users\\Admin\\vxwom.exe /D" C:\Users\Admin\vxwom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\vxwom = "C:\\Users\\Admin\\vxwom.exe /a" C:\Users\Admin\vxwom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\vxwom = "C:\\Users\\Admin\\vxwom.exe /C" C:\Users\Admin\vxwom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\vxwom = "C:\\Users\\Admin\\vxwom.exe /L" C:\Users\Admin\vxwom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\vxwom = "C:\\Users\\Admin\\vxwom.exe /h" C:\Users\Admin\vxwom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\vxwom = "C:\\Users\\Admin\\vxwom.exe /b" C:\Users\Admin\vxwom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\vxwom = "C:\\Users\\Admin\\vxwom.exe /o" C:\Users\Admin\vxwom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\vxwom = "C:\\Users\\Admin\\vxwom.exe /F" C:\Users\Admin\vxwom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\vxwom = "C:\\Users\\Admin\\vxwom.exe /q" C:\Users\Admin\vxwom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\vxwom = "C:\\Users\\Admin\\vxwom.exe /E" C:\Users\Admin\vxwom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\vxwom = "C:\\Users\\Admin\\vxwom.exe /u" C:\Users\Admin\vxwom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\vxwom = "C:\\Users\\Admin\\vxwom.exe /Z" C:\Users\Admin\vxwom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\vxwom = "C:\\Users\\Admin\\vxwom.exe /A" C:\Users\Admin\vxwom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\vxwom = "C:\\Users\\Admin\\vxwom.exe /f" C:\Users\Admin\vxwom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\vxwom = "C:\\Users\\Admin\\vxwom.exe /z" C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\vxwom = "C:\\Users\\Admin\\vxwom.exe /l" C:\Users\Admin\vxwom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\vxwom = "C:\\Users\\Admin\\vxwom.exe /T" C:\Users\Admin\vxwom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\vxwom = "C:\\Users\\Admin\\vxwom.exe /y" C:\Users\Admin\vxwom.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\physicaldrive0 C:\Users\Admin\cod.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1252 set thread context of 2084 N/A C:\Users\Admin\cog.exe C:\Users\Admin\cog.exe

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\vxwom.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\vxwom.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\vxwom.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\vxwom.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\vxwom.exe N/A
N/A N/A C:\Users\Admin\vxwom.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\vxwom.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\vxwom.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\vxwom.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\vxwom.exe N/A
N/A N/A C:\Users\Admin\vxwom.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\vxwom.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\vxwom.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\vxwom.exe N/A
N/A N/A C:\Users\Admin\vxwom.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\vxwom.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\cod.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe N/A
N/A N/A C:\Users\Admin\vxwom.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2636 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe
PID 2636 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe
PID 2636 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe
PID 2636 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe
PID 2636 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\cod.exe
PID 2636 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\cod.exe
PID 2636 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\cod.exe
PID 2636 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\cod.exe
PID 2636 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\cof.exe
PID 2636 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\cof.exe
PID 2636 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\cof.exe
PID 2636 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\cof.exe
PID 2636 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\cog.exe
PID 2636 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\cog.exe
PID 2636 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\cog.exe
PID 2636 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\cog.exe
PID 2636 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2556 N/A C:\Users\Admin\cof.exe C:\Windows\SysWOW64\rundll32.exe
PID 2940 wrote to memory of 2556 N/A C:\Users\Admin\cof.exe C:\Windows\SysWOW64\rundll32.exe
PID 2940 wrote to memory of 2556 N/A C:\Users\Admin\cof.exe C:\Windows\SysWOW64\rundll32.exe
PID 2940 wrote to memory of 2556 N/A C:\Users\Admin\cof.exe C:\Windows\SysWOW64\rundll32.exe
PID 2940 wrote to memory of 2556 N/A C:\Users\Admin\cof.exe C:\Windows\SysWOW64\rundll32.exe
PID 2940 wrote to memory of 2556 N/A C:\Users\Admin\cof.exe C:\Windows\SysWOW64\rundll32.exe
PID 2940 wrote to memory of 2556 N/A C:\Users\Admin\cof.exe C:\Windows\SysWOW64\rundll32.exe
PID 1252 wrote to memory of 2084 N/A C:\Users\Admin\cog.exe C:\Users\Admin\cog.exe
PID 1252 wrote to memory of 2084 N/A C:\Users\Admin\cog.exe C:\Users\Admin\cog.exe
PID 1252 wrote to memory of 2084 N/A C:\Users\Admin\cog.exe C:\Users\Admin\cog.exe
PID 1252 wrote to memory of 2084 N/A C:\Users\Admin\cog.exe C:\Users\Admin\cog.exe
PID 1252 wrote to memory of 2084 N/A C:\Users\Admin\cog.exe C:\Users\Admin\cog.exe
PID 1252 wrote to memory of 2084 N/A C:\Users\Admin\cog.exe C:\Users\Admin\cog.exe
PID 1252 wrote to memory of 2084 N/A C:\Users\Admin\cog.exe C:\Users\Admin\cog.exe
PID 1252 wrote to memory of 2084 N/A C:\Users\Admin\cog.exe C:\Users\Admin\cog.exe
PID 1252 wrote to memory of 2084 N/A C:\Users\Admin\cog.exe C:\Users\Admin\cog.exe
PID 1252 wrote to memory of 2084 N/A C:\Users\Admin\cog.exe C:\Users\Admin\cog.exe
PID 1252 wrote to memory of 2084 N/A C:\Users\Admin\cog.exe C:\Users\Admin\cog.exe
PID 2292 wrote to memory of 2732 N/A C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe C:\Users\Admin\vxwom.exe
PID 2292 wrote to memory of 2732 N/A C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe C:\Users\Admin\vxwom.exe
PID 2292 wrote to memory of 2732 N/A C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe C:\Users\Admin\vxwom.exe
PID 2292 wrote to memory of 2732 N/A C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe C:\Users\Admin\vxwom.exe
PID 2556 wrote to memory of 2460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 2460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 2460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 2460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 2460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 2460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 2460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe

"C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe"

C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe

B85EgtCQKi4p6Z9Kt2.exe

C:\Users\Admin\cod.exe

cod.exe

C:\Users\Admin\cof.exe

cof.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\mfwutese.dll",Startup

C:\Users\Admin\cog.exe

cog.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c del 8cf591136fec7bd474a84c232e01155a.exe

C:\Users\Admin\cog.exe

cog.exe

C:\Users\Admin\vxwom.exe

"C:\Users\Admin\vxwom.exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\mfwutese.dll",iep

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del B85EgtCQKi4p6Z9Kt2.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

Network

N/A

Files

\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe

MD5 72e9d71fe7ad21610b846614566d6e2f
SHA1 35071ef247823ff6fa675449c6506caa2f5b145f
SHA256 4dc0b35a38321c71c24289acf43c102e6aa875307f830900d39f25491c83cda9
SHA512 14431710838e2eea0fdb3a7b73743b6d101ec6a4ceebdf0716e2855e845bd2b1722e5178d310a24ce7e5754076a9dc0e62f351c1518c391c6db8533af35203f3

C:\Users\Admin\cod.exe

MD5 b8e09161bc02d31d1ae2c99e258144ee
SHA1 0ccaf9daa161cb90936862f4f8f061afc671c3ca
SHA256 6bdf47160d6aa55f0c3f646512107d589f91c0231e95352eff690f5f1fa7b9ad
SHA512 489fb5908765d103bc0f3187f3784500acfe9f0f6dce75e4e7d6964576b01efeba2cf83132b95b3f5e84a1ba6dc2b969cdc367a6b9dbe348e52259690c7fed77

C:\Users\Admin\cod.exe

MD5 1c7b201413e0761653f61eb45886e00d
SHA1 d58ff7e56db798240c5a09b33002bbc9b1b50f60
SHA256 16390ac3f6c7783604f5cbdc6f157d358b31956a79d2bbe2bdd60a0632fe65b6
SHA512 9ba3d4add08a6501ca0c6dbe84ae3d3907ebc9bcb996e11ffca97e6406ab0999060640a1df7f34db8dc95909c5be8501119c81c83150362b19fd6c50d372f10a

C:\Users\Admin\cof.exe

MD5 6d6ff934d61f37f4b292da43125f8fc9
SHA1 5b56e2404862ef7fe7b42158abe6bb344743792e
SHA256 bd06e54c7ce441b88d84bd2ef758017c6740663c0158784e55def171c7986df8
SHA512 a135fe5da7b1553a01c752f0162703c9c6428586f349097eb5f7adad722dfb67289e7ff1297a44f321ad7e5cafd2694f5a544291ea660a6daa8cb3fbea8e8e0c

C:\Users\Admin\cog.exe

MD5 44e27b6521dd2c9375f0d1e4737878a3
SHA1 6a073519fdff88a36bf7837b5636d6814f05255a
SHA256 2414245b0355f11217eeed564ecbbd70e362a886982587e968739bc8a24d9290
SHA512 01eecad2bb7a2017f77d7df4cc0bf513e15b331108934357db246b9f538f14114cfa31b9c36aac0fca081b57bb9255567517575fb2f613e7eba1b71e59999deb

memory/2940-40-0x0000000001CA0000-0x0000000001CE0000-memory.dmp

memory/2932-41-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2932-43-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\cof.exe

MD5 d15f3d9213e5972e1e2c069448d6f228
SHA1 224f67d7bcb15f1921211d68df19a072dc84ccfe
SHA256 9c0e3fcd2615c0a3678e77583970c5d9401ea223db3e517d048453db6427214d
SHA512 3e53dde211235f50f7507839f4f0e8ef6c0456f4f92b40e3a9d57eb64c1ee17774698858213e1cdefb8e87803648ff97001b2a00ad2c2c6b0c896774b1e785e3

memory/2932-46-0x00000000006C0000-0x0000000000718000-memory.dmp

memory/2940-52-0x0000000010000000-0x000000001001D000-memory.dmp

C:\Users\Admin\AppData\Local\mfwutese.dll

MD5 be60099ceffb0aece0bc0c52998e9d65
SHA1 6ff11181390b5eccfb9a832ea5311d58bcc7a3a3
SHA256 e41f195954abff7c7bdc150773ad9f0b4029a883386ac179c1aa9d44f9ab6e4a
SHA512 c4beef5b86370a959b624041cc2db1de2da07a15df17077d728ea74036398fd1e62b6e7e147c53ea944606d751d0934f423b70193ad570a8cba097a823facdc0

memory/2556-59-0x0000000010000000-0x000000001001D000-memory.dmp

memory/2556-60-0x00000000001E0000-0x0000000000220000-memory.dmp

memory/2556-61-0x00000000001E0000-0x0000000000220000-memory.dmp

memory/2932-62-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2932-48-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2932-47-0x00000000006C1000-0x00000000006C2000-memory.dmp

memory/2084-81-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2084-80-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1252-85-0x0000000000400000-0x0000000000427000-memory.dmp

C:\Users\Admin\cog.exe

MD5 262a039229f90ba2461f2e810ad74447
SHA1 9dfe5040a3d6ea8262313953c02a1e6ae39c6916
SHA256 e20729c3095a40a637efb304bdf57902cd4948f22406138e0dbdf28f034cedb3
SHA512 d7612cdbc38aea73462aa7851ab3078dfb89a1b4c96414f5d8144c456f694971f08a79bbb1a738ffeb273f99122432b1009cbf4bd483884dd50ca115a64ef641

memory/2084-87-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2084-86-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2084-77-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2084-74-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2084-71-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2084-68-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2084-66-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2084-64-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2940-44-0x0000000001CA0000-0x0000000001CE0000-memory.dmp

memory/2940-38-0x0000000010000000-0x000000001001D000-memory.dmp

memory/2932-37-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2636-22-0x0000000000470000-0x00000000004C8000-memory.dmp

\Users\Admin\cod.exe

MD5 dbadc5fadb7497f5761537c06026ff47
SHA1 c8bd7319e170bd5966a73bae6f34cee4782b4f97
SHA256 b8fdc5c5f8aa378ef3ba8ee5172550a8f7ca295bebe858dab8ec171f1328036e
SHA512 7bced6bbdeb0f770d78f199d16d8ed86e90794141df101d1bb4878c55313af058a5551e0df2da65f6cd3507185cca13c7459aabf97c22faa83518b53321c2b7e

memory/2636-17-0x0000000000470000-0x00000000004C8000-memory.dmp

\Users\Admin\vxwom.exe

MD5 2aa64c61b9e9b5549381bca685d8330e
SHA1 71a9c89bda77874d5b6c3d09c89ad7fa5e447725
SHA256 c873b45875b1c894b9b5b2cf16b7ff85f065373b87ee5c498ffbfe14d2f620c8
SHA512 420e2be6f20065699999ee42533b97915166203899df4ebafdb26d3814f12598a4d3a77099851d265d2c4534e2ec6f14e04cb688a86286e200e0411870c7ad5b

memory/2556-107-0x0000000010000000-0x000000001001D000-memory.dmp

memory/2556-120-0x0000000010000000-0x000000001001D000-memory.dmp

memory/2460-126-0x0000000000180000-0x00000000001C0000-memory.dmp

memory/2460-125-0x0000000000180000-0x00000000001C0000-memory.dmp

memory/2292-128-0x0000000002F90000-0x0000000003A4A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-03 17:49

Reported

2024-02-03 17:52

Platform

win10v2004-20231215-en

Max time kernel

22s

Max time network

72s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe N/A
N/A N/A C:\Users\Admin\cod.exe N/A
N/A N/A C:\Users\Admin\cof.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A
N/A N/A C:\Users\Admin\cog.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Njayurixuqugaro = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\XmphtpT.dll\",Startup" C:\Windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\physicaldrive0 C:\Users\Admin\cod.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3324 set thread context of 4272 N/A C:\Users\Admin\cog.exe C:\Users\Admin\cog.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\cod.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3992 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe
PID 3992 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe
PID 3992 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe
PID 3992 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\cod.exe
PID 3992 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\cod.exe
PID 3992 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\cod.exe
PID 3992 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\cof.exe
PID 3992 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\cof.exe
PID 3992 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\cof.exe
PID 3992 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\cog.exe
PID 3992 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\cog.exe
PID 3992 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Users\Admin\cog.exe
PID 3992 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Windows\SysWOW64\cmd.exe
PID 3992 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Windows\SysWOW64\cmd.exe
PID 3992 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe C:\Windows\SysWOW64\cmd.exe
PID 3288 wrote to memory of 2416 N/A C:\Users\Admin\cof.exe C:\Windows\SysWOW64\rundll32.exe
PID 3288 wrote to memory of 2416 N/A C:\Users\Admin\cof.exe C:\Windows\SysWOW64\rundll32.exe
PID 3288 wrote to memory of 2416 N/A C:\Users\Admin\cof.exe C:\Windows\SysWOW64\rundll32.exe
PID 3324 wrote to memory of 4272 N/A C:\Users\Admin\cog.exe C:\Users\Admin\cog.exe
PID 3324 wrote to memory of 4272 N/A C:\Users\Admin\cog.exe C:\Users\Admin\cog.exe
PID 3324 wrote to memory of 4272 N/A C:\Users\Admin\cog.exe C:\Users\Admin\cog.exe
PID 3324 wrote to memory of 4272 N/A C:\Users\Admin\cog.exe C:\Users\Admin\cog.exe
PID 3324 wrote to memory of 4272 N/A C:\Users\Admin\cog.exe C:\Users\Admin\cog.exe
PID 3324 wrote to memory of 4272 N/A C:\Users\Admin\cog.exe C:\Users\Admin\cog.exe
PID 3324 wrote to memory of 4272 N/A C:\Users\Admin\cog.exe C:\Users\Admin\cog.exe
PID 3324 wrote to memory of 4272 N/A C:\Users\Admin\cog.exe C:\Users\Admin\cog.exe
PID 3324 wrote to memory of 4272 N/A C:\Users\Admin\cog.exe C:\Users\Admin\cog.exe
PID 3324 wrote to memory of 4272 N/A C:\Users\Admin\cog.exe C:\Users\Admin\cog.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe

"C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe"

C:\Users\Admin\cog.exe

cog.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c del 8cf591136fec7bd474a84c232e01155a.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\XmphtpT.dll",Startup

C:\Users\Admin\cof.exe

cof.exe

C:\Users\Admin\cod.exe

cod.exe

C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe

B85EgtCQKi4p6Z9Kt2.exe

C:\Users\Admin\cog.exe

cog.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

C:\Users\Admin\cod.exe

MD5 c7f5ebab338e2879b2809b3828d0807d
SHA1 1fc561bd445eb7e6e3bd709d0ee70f23edf27fa3
SHA256 6ac792e9d80ff13ddaa11610f95a23e2d1c0746e9a7c5511c2048c15babc6009
SHA512 51c6fcd637e0e1ca2d3f47d20a303b457eba5a94e119c73332ec70427c947b11f40f27f0cbb932549284fb8da78b7f6d4546b473aef42f98c3a677942d10a24e

C:\Users\Admin\cof.exe

MD5 40310de11405420a15881f31a5965af0
SHA1 c6e4971184a6f40165f24c6a39465296a4d436cd
SHA256 ae9b5256dedd4289ce5126fae9566e91861c18cfb66907ccb2c087887c6064f7
SHA512 725908fd0631618190e370d9bce877ca48777e5d062cdb1cae7e83124275b33b1e8ca88881ce7e77d0b30377a240fbb285e648075371d2a74bbd1bd4d14725e6

C:\Users\Admin\cog.exe

MD5 2e3317b4abb4e3931ac16e0f1d5ed9e7
SHA1 79317fd0874a16a1aa7ac8ce77c951f5b640d3fe
SHA256 f9e727496f2bb12b9229a827a95c3db9b6a34e58074b6ad59a8ae9be17afd976
SHA512 c0462a0ac973f4a0c9c817ee85e6ca0f3cbca60d37672293fc034b82fa2d06769993972ff68af9c63b37670031fad81b295266ee59166b0b665e5e780741505e

memory/3288-23-0x0000000002240000-0x0000000002250000-memory.dmp

memory/232-24-0x0000000000400000-0x0000000000458000-memory.dmp

memory/232-25-0x0000000000400000-0x0000000000458000-memory.dmp

memory/3288-22-0x0000000010000000-0x000000001001D000-memory.dmp

memory/3288-21-0x0000000002240000-0x0000000002250000-memory.dmp

memory/232-31-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2416-33-0x0000000010000000-0x000000001001D000-memory.dmp

memory/232-35-0x00000000005E0000-0x0000000000638000-memory.dmp

C:\Users\Admin\AppData\Local\XmphtpT.dll

MD5 be60099ceffb0aece0bc0c52998e9d65
SHA1 6ff11181390b5eccfb9a832ea5311d58bcc7a3a3
SHA256 e41f195954abff7c7bdc150773ad9f0b4029a883386ac179c1aa9d44f9ab6e4a
SHA512 c4beef5b86370a959b624041cc2db1de2da07a15df17077d728ea74036398fd1e62b6e7e147c53ea944606d751d0934f423b70193ad570a8cba097a823facdc0

memory/232-36-0x00000000005E1000-0x00000000005E2000-memory.dmp

memory/2416-37-0x0000000002700000-0x0000000002710000-memory.dmp

memory/2416-38-0x0000000002700000-0x0000000002710000-memory.dmp

memory/3288-34-0x0000000010000000-0x000000001001D000-memory.dmp

C:\Users\Admin\cog.exe

MD5 262a039229f90ba2461f2e810ad74447
SHA1 9dfe5040a3d6ea8262313953c02a1e6ae39c6916
SHA256 e20729c3095a40a637efb304bdf57902cd4948f22406138e0dbdf28f034cedb3
SHA512 d7612cdbc38aea73462aa7851ab3078dfb89a1b4c96414f5d8144c456f694971f08a79bbb1a738ffeb273f99122432b1009cbf4bd483884dd50ca115a64ef641

C:\Users\Admin\cof.exe

MD5 d15f3d9213e5972e1e2c069448d6f228
SHA1 224f67d7bcb15f1921211d68df19a072dc84ccfe
SHA256 9c0e3fcd2615c0a3678e77583970c5d9401ea223db3e517d048453db6427214d
SHA512 3e53dde211235f50f7507839f4f0e8ef6c0456f4f92b40e3a9d57eb64c1ee17774698858213e1cdefb8e87803648ff97001b2a00ad2c2c6b0c896774b1e785e3

memory/232-13-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\cod.exe

MD5 dbadc5fadb7497f5761537c06026ff47
SHA1 c8bd7319e170bd5966a73bae6f34cee4782b4f97
SHA256 b8fdc5c5f8aa378ef3ba8ee5172550a8f7ca295bebe858dab8ec171f1328036e
SHA512 7bced6bbdeb0f770d78f199d16d8ed86e90794141df101d1bb4878c55313af058a5551e0df2da65f6cd3507185cca13c7459aabf97c22faa83518b53321c2b7e

C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe

MD5 72e9d71fe7ad21610b846614566d6e2f
SHA1 35071ef247823ff6fa675449c6506caa2f5b145f
SHA256 4dc0b35a38321c71c24289acf43c102e6aa875307f830900d39f25491c83cda9
SHA512 14431710838e2eea0fdb3a7b73743b6d101ec6a4ceebdf0716e2855e845bd2b1722e5178d310a24ce7e5754076a9dc0e62f351c1518c391c6db8533af35203f3

memory/232-39-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4272-40-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4272-41-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4272-42-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4272-43-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4272-44-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4272-49-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3324-47-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2416-50-0x0000000010000000-0x000000001001D000-memory.dmp

memory/4272-51-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\baugig.exe

MD5 f091e5fa9e30e83ec2d3459d1f98b042
SHA1 cec0a10b627d17e48f20b4090ca96d90a5dc0611
SHA256 62079f5ae2f1cb501e16f6df4c523faddb7b9777a4e983a73508edc579f4f6c8
SHA512 8d9bee720a3a2ef4699fb58387c1677fe7ec96d6756004bbb7febcc752bcdb4720b726ea3dceeaebf0c2f6a09e09b8a41b7912eac70188169a60a4e43a3b291d