modiloader | e91b3f0ddc4a0f795e6151cf6aec64c9350e0e35ebb58c6eabbf345fb32e3c7b

Analysis

max time kernel
142s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
07-03-2024 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b99e2157e415b68404142911826d9bd1.exe
Size

739KB
MD5

b99e2157e415b68404142911826d9bd1
SHA1

6182a3dc3cc09655d1de367f4076af13e7bf9777
SHA256

e91b3f0ddc4a0f795e6151cf6aec64c9350e0e35ebb58c6eabbf345fb32e3c7b
SHA512

0ecfbe9beafd582763565a4f20907982b6c48eb4c4d803c275b7ff59e34399c001717429d9ec5422023685ef72046189f353957670a2c7ad9b5a95f0a8363eba
SSDEEP

12288:d8jHAwPmc+P+UlxXJHHBK2ZMXR0l8M35F3Z4mxxQSeP+2PaLGs7LOv7:+fmlNJHw2ZMB0Oq5QmXQSoyw7

Score

10^/10

modiloader aspackv2 trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 9 IoCs

resource	yara_rule
behavioral1/memory/2928-13-0x0000000000400000-0x00000000004D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2928-15-0x0000000000400000-0x00000000004D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2928-20-0x0000000000400000-0x00000000004D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2928-21-0x0000000000400000-0x00000000004D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2928-24-0x0000000000400000-0x00000000004D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-59-0x0000000000400000-0x00000000004D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-60-0x0000000000400000-0x00000000004D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2928-56-0x0000000000400000-0x00000000004D0000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-77-0x0000000000400000-0x00000000004D0000-memory.dmp	modiloader_stage2

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000a000000013a71-26.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2276	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3012	Switching.exe
2660	Switching.exe

Loads dropped DLL 6 IoCs

pid	Process
2928	b99e2157e415b68404142911826d9bd1.exe
2928	b99e2157e415b68404142911826d9bd1.exe
3012	Switching.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_Switching.exe	Switching.exe
File opened for modification	C:\Windows\SysWOW64\_Switching.exe	Switching.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2136 set thread context of 2928	2136	b99e2157e415b68404142911826d9bd1.exe	28
PID 3012 set thread context of 2660	3012	Switching.exe	30
PID 2660 set thread context of 2488	2660	Switching.exe	33

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Switching.exe	b99e2157e415b68404142911826d9bd1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Switching.exe	b99e2157e415b68404142911826d9bd1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SxingDel.bat	b99e2157e415b68404142911826d9bd1.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2632	2660	WerFault.exe	30

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2928	2136	b99e2157e415b68404142911826d9bd1.exe	28
PID 2136 wrote to memory of 2928	2136	b99e2157e415b68404142911826d9bd1.exe	28
PID 2136 wrote to memory of 2928	2136	b99e2157e415b68404142911826d9bd1.exe	28
PID 2136 wrote to memory of 2928	2136	b99e2157e415b68404142911826d9bd1.exe	28
PID 2136 wrote to memory of 2928	2136	b99e2157e415b68404142911826d9bd1.exe	28
PID 2136 wrote to memory of 2928	2136	b99e2157e415b68404142911826d9bd1.exe	28
PID 2928 wrote to memory of 3012	2928	b99e2157e415b68404142911826d9bd1.exe	29
PID 2928 wrote to memory of 3012	2928	b99e2157e415b68404142911826d9bd1.exe	29
PID 2928 wrote to memory of 3012	2928	b99e2157e415b68404142911826d9bd1.exe	29
PID 2928 wrote to memory of 3012	2928	b99e2157e415b68404142911826d9bd1.exe	29
PID 3012 wrote to memory of 2660	3012	Switching.exe	30
PID 3012 wrote to memory of 2660	3012	Switching.exe	30
PID 3012 wrote to memory of 2660	3012	Switching.exe	30
PID 3012 wrote to memory of 2660	3012	Switching.exe	30
PID 3012 wrote to memory of 2660	3012	Switching.exe	30
PID 3012 wrote to memory of 2660	3012	Switching.exe	30
PID 2928 wrote to memory of 2276	2928	b99e2157e415b68404142911826d9bd1.exe	31
PID 2928 wrote to memory of 2276	2928	b99e2157e415b68404142911826d9bd1.exe	31
PID 2928 wrote to memory of 2276	2928	b99e2157e415b68404142911826d9bd1.exe	31
PID 2928 wrote to memory of 2276	2928	b99e2157e415b68404142911826d9bd1.exe	31
PID 2660 wrote to memory of 2488	2660	Switching.exe	33
PID 2660 wrote to memory of 2488	2660	Switching.exe	33
PID 2660 wrote to memory of 2488	2660	Switching.exe	33
PID 2660 wrote to memory of 2488	2660	Switching.exe	33
PID 2660 wrote to memory of 2488	2660	Switching.exe	33
PID 2660 wrote to memory of 2488	2660	Switching.exe	33
PID 2660 wrote to memory of 2632	2660	Switching.exe	34
PID 2660 wrote to memory of 2632	2660	Switching.exe	34
PID 2660 wrote to memory of 2632	2660	Switching.exe	34
PID 2660 wrote to memory of 2632	2660	Switching.exe	34

C:\Users\Admin\AppData\Local\Temp\b99e2157e415b68404142911826d9bd1.exe
"C:\Users\Admin\AppData\Local\Temp\b99e2157e415b68404142911826d9bd1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\b99e2157e415b68404142911826d9bd1.exe
  C:\Users\Admin\AppData\Local\Temp\b99e2157e415b68404142911826d9bd1.exe
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Program Files\Common Files\Microsoft Shared\MSINFO\Switching.exe
    "C:\Program Files\Common Files\Microsoft Shared\MSINFO\Switching.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Program Files\Common Files\Microsoft Shared\MSINFO\Switching.exe
      "C:\Program Files\Common Files\Microsoft Shared\MSINFO\Switching.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\SysWOW64\calc.exe
        
        "C:\Windows\system32\calc.exe"
        5⤵
        
        PID:2488
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 280
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SxingDel.bat""
    3⤵
    - Deletes itself
    PID:2276

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\SxingDel.bat

Filesize
184B

MD5
44e6fb84fdb121e2842b100c49edb50c

SHA1
cad527e507df4be90e75bbab5fcb1eb58990c772

SHA256
fa4af76473b933eb60b124a9debd62b303440ef90735db4332d9cb4f92c586de

SHA512
962cd56d33a0a8cdc4e5f775101df5ad0fe6b5f9f76f8e37487d83d361623c26f1c9d86256a3b67c9a6f789c8034f1476c6bc6da4b6c3a50870e4a7add0e43ab

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\Switching.exe

Filesize
739KB

MD5
b99e2157e415b68404142911826d9bd1

SHA1
6182a3dc3cc09655d1de367f4076af13e7bf9777

SHA256
e91b3f0ddc4a0f795e6151cf6aec64c9350e0e35ebb58c6eabbf345fb32e3c7b

SHA512
0ecfbe9beafd582763565a4f20907982b6c48eb4c4d803c275b7ff59e34399c001717429d9ec5422023685ef72046189f353957670a2c7ad9b5a95f0a8363eba

Download Submit
memory/2136-16-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/2136-12-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/2136-76-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/2136-4-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2136-8-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2136-3-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2136-0-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2136-19-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/2136-2-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/2136-1-0x0000000000530000-0x0000000000584000-memory.dmp

Filesize
336KB

Download
memory/2136-14-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2136-10-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/2136-6-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2136-18-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2136-17-0x0000000000530000-0x0000000000584000-memory.dmp

Filesize
336KB

Download
memory/2488-71-0x0000000000450000-0x0000000000450000-memory.dmp

Download
memory/2488-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2488-68-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2660-60-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2660-59-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2660-77-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2660-63-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2928-20-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2928-32-0x0000000002FD0000-0x0000000003094000-memory.dmp

Filesize
784KB

Download
memory/2928-36-0x0000000002FD0000-0x0000000003094000-memory.dmp

Filesize
784KB

Download
memory/2928-24-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2928-5-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2928-9-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2928-21-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2928-25-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2928-13-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2928-15-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2928-56-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3012-35-0x0000000000530000-0x0000000000584000-memory.dmp

Filesize
336KB

Download
memory/3012-58-0x0000000000530000-0x0000000000584000-memory.dmp

Filesize
336KB

Download
memory/3012-47-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3012-34-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3012-41-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/3012-40-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download