modiloader | 1932a5b773cdd7678ccc122ebb9d5f7c70455f5800c20e3ba39700ed73b5569c

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 19:03

Target

9c6737753b3e1fc85c9d76634985c63c.exe
Size

60KB
MD5

9c6737753b3e1fc85c9d76634985c63c
SHA1

c01154959a7478c76637bc2f2e5f866f5a8b863a
SHA256

1932a5b773cdd7678ccc122ebb9d5f7c70455f5800c20e3ba39700ed73b5569c
SHA512

23b63ad778be126be6500a09e19bc3fcf14551f3db980fd951f867684a4f462451ea638bda3345369e5c820765ab5ecb56143adb85d4b4b43da52c75c963e93e
SSDEEP

1536:xm7wjsVTJ+p3JrkGLawHE/E2j+EDmDZIYcSCggVLkX:e+sVT45mn/bjncZIHlkX

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/2276-2-0x0000000000400000-0x000000000042102F-memory.dmp	modiloader_stage2
behavioral1/files/0x000a000000012022-4.dat	modiloader_stage2
behavioral1/files/0x000b000000015c1b-8.dat	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
1988	temp.exe
2716	tcpip.exe

Loads dropped DLL 2 IoCs

pid	Process
2452	cmd.exe
2452	cmd.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tcpip.exe	temp.exe
File opened for modification	C:\Windows\SysWOW64\tcpip.exe	temp.exe
File created	C:\Windows\SysWOW64\kkkkkkk.bat	temp.exe
File created	C:\Windows\SysWOW64\wwinsystem.dll	tcpip.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1988	temp.exe
Token: SeDebugPrivilege	2716	tcpip.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2452	2276	9c6737753b3e1fc85c9d76634985c63c.exe	28
PID 2276 wrote to memory of 2452	2276	9c6737753b3e1fc85c9d76634985c63c.exe	28
PID 2276 wrote to memory of 2452	2276	9c6737753b3e1fc85c9d76634985c63c.exe	28
PID 2276 wrote to memory of 2452	2276	9c6737753b3e1fc85c9d76634985c63c.exe	28
PID 2452 wrote to memory of 1988	2452	cmd.exe	30
PID 2452 wrote to memory of 1988	2452	cmd.exe	30
PID 2452 wrote to memory of 1988	2452	cmd.exe	30
PID 2452 wrote to memory of 1988	2452	cmd.exe	30
PID 1988 wrote to memory of 2728	1988	temp.exe	32
PID 1988 wrote to memory of 2728	1988	temp.exe	32
PID 1988 wrote to memory of 2728	1988	temp.exe	32
PID 1988 wrote to memory of 2728	1988	temp.exe	32
PID 2716 wrote to memory of 1420	2716	tcpip.exe	15

C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
44KB

MD5
16d2f9658105b8a4d0e0adeaa483c87d

SHA1
bb455cdee07ef159cc1c4bc840956f1deb4ddae2

SHA256
f2ee14821043dfbce62daac61fe27ec9ed03afb395ffd85cdb59063d492784fb

SHA512
4e15d7db9edd3cf79e75df0665ef237cb4c9ceac250f86e51fdc35115a70b37243532f8e7adb6174a6600dfe5c8b363781ebed3c97a354bd42cb2769d3b6c815

Download Submit
C:\Windows\SysWOW64\kkkkkkk.bat

Filesize
134B

MD5
8fd6d636cdee10d04a8a03a03ec2721f

SHA1
c1b84a770ef314e4b8b3db64e39631e5d17ea4bc

SHA256
b61a18a227dad25d44c88dc31ec845c532bdb8290fd93549b5c39d85f60eb66b

SHA512
0771e0ea8dddd230e27fdd0a4052bcc0c736331bf7a1473715da2f157100b548221d32e20aabfdd3bffdca9fe9fde2ee5d1fe37dec1ffed804440c84ca5348cd

Download Submit
C:\Windows\SysWOW64\tcpip.exe

Filesize
19KB

MD5
029ec12148b611cff71c560fc783688b

SHA1
5177e408c29f20ca2f1849ed0f7aef583b687dde

SHA256
f5f3bd142c69756a64bd325e2935a17424a510201ddf5ac79cba8c540491d9fb

SHA512
886ef214ba57fbc7f5886bfa2324c36994955c9a61a65fee541167417b983f1c4355dd6b231f6db3636a6c9b9ae8a33b5e71f8403cbf209a77f05a85e40ea2fe

Download Submit
memory/1420-18-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/2276-0-0x0000000000400000-0x000000000042102F-memory.dmp

Filesize
132KB

Download
memory/2276-2-0x0000000000400000-0x000000000042102F-memory.dmp

Filesize
132KB

Download