modiloader | 84f55cb131f265acff6136baa336539828680aeb4bd6f991a08e04fa41d932f5

Analysis

max time kernel
90s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 17:39

Target

99bf33a35db434543ff6c4471d4aaee6.exe
Size

57KB
MD5

99bf33a35db434543ff6c4471d4aaee6
SHA1

ae5bfa7f13ee679078b71b4f4a40a6e8a878d3c6
SHA256

84f55cb131f265acff6136baa336539828680aeb4bd6f991a08e04fa41d932f5
SHA512

6b8e9d63a043537326e574e480db2dfa9bc7c2d99ff65c45336a22cd47a919419ee750f38243ddee730f7f93a90fc73c5e9f708e2c1203718cb320be501bf6f1
SSDEEP

1536:tm7wjsVTJ+p3JrkGLawHE/E2j+EHwnOE1/o88t/T1g/tTn:6+sVT45mn/bjnWo8sTmn

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral2/memory/752-3-0x0000000000400000-0x000000000041F000-memory.dmp	modiloader_stage2
behavioral2/memory/752-2-0x0000000000400000-0x000000000041F000-memory.dmp	modiloader_stage2
behavioral2/files/0x000700000002322f-5.dat	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
3616	temp.exe
388	tcpip.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mmmmmmmm.bat	temp.exe
File created	C:\Windows\SysWOW64\msiupdata.dll	tcpip.exe
File created	C:\Windows\SysWOW64\tcpip.exe	temp.exe
File opened for modification	C:\Windows\SysWOW64\tcpip.exe	temp.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3616	temp.exe
Token: SeDebugPrivilege	388	tcpip.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 4504	752	99bf33a35db434543ff6c4471d4aaee6.exe	84
PID 752 wrote to memory of 4504	752	99bf33a35db434543ff6c4471d4aaee6.exe	84
PID 752 wrote to memory of 4504	752	99bf33a35db434543ff6c4471d4aaee6.exe	84
PID 4504 wrote to memory of 3616	4504	cmd.exe	86
PID 4504 wrote to memory of 3616	4504	cmd.exe	86
PID 4504 wrote to memory of 3616	4504	cmd.exe	86
PID 3616 wrote to memory of 1620	3616	temp.exe	88
PID 3616 wrote to memory of 1620	3616	temp.exe	88
PID 3616 wrote to memory of 1620	3616	temp.exe	88
PID 388 wrote to memory of 3420	388	tcpip.exe	42

C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
43KB

MD5
5c4ee3da5f9af3e2d3618999349488b5

SHA1
d3c460d2cb7bb7b6e96ade8cafe9698f0ae257c5

SHA256
62729829cc483626b45632ba00f8aa988e1a605f40b8e34d047edc2eb9389b2a

SHA512
b1be635f0fc3d7975d3c12e9bcde75d6f2327aa367d8905211f2787003a493145a278e38cde4947fbc3c2568ba6ae06c20018b668cef86061b0b5f37aab0654b

Download Submit
C:\Windows\SysWOW64\mmmmmmmm.bat

Filesize
136B

MD5
bbb1363ff9d91459fafad63764db72a0

SHA1
39363d056769002ec16b5bd869d9a3548d5d131b

SHA256
4313d66d27196d0fc03c77e21f2b6020adf3f8cf4b7ca6895151c92cf0136bb9

SHA512
41bcbaefc2d018f93253202b5fe8864e28b232c3c9a7e7237d74b3a3078dec824fad25045dafc44d3a3faafc0a9bbf3d2d62df08628443a8a1a2fa375974b59a

Download Submit
memory/752-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/752-3-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/752-2-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download