modiloader | b007fcf24071434f44f6de53165d5de0079a846d83e87f0426a3a2ed2609e28c

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 16:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bbbbe89e4b8730e45068cfcbe85c6458.exe
Size

241KB
MD5

bbbbe89e4b8730e45068cfcbe85c6458
SHA1

188b6971599fb5ced362d642527eadf64f8dba2d
SHA256

b007fcf24071434f44f6de53165d5de0079a846d83e87f0426a3a2ed2609e28c
SHA512

4ee10a5092dafd610e68e423f82f352a8197841e53c0c562a92774acad7aba10cf231149807c8a127d431bd458573f692312261982e0da8bc2eaf32a5446e0e2
SSDEEP

6144:S6KuRRAE5rYw0nrxwm/3SlxlJ8nVZx2P/3I:S6K+6IrY5KSiDus

Score

10^/10

modiloader trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral2/memory/232-0-0x0000000000400000-0x000000000043E000-memory.dmp	modiloader_stage2
behavioral2/memory/232-2-0x0000000010410000-0x0000000010443000-memory.dmp	modiloader_stage2
behavioral2/memory/232-10-0x0000000000400000-0x000000000043E000-memory.dmp	modiloader_stage2

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/232-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/232-10-0x0000000000400000-0x000000000043E000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4496	232	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
232	bbbbe89e4b8730e45068cfcbe85c6458.exe
232	bbbbe89e4b8730e45068cfcbe85c6458.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87
PID 232 wrote to memory of 4708	232	bbbbe89e4b8730e45068cfcbe85c6458.exe	87

C:\Users\Admin\AppData\Local\Temp\bbbbe89e4b8730e45068cfcbe85c6458.exe
"C:\Users\Admin\AppData\Local\Temp\bbbbe89e4b8730e45068cfcbe85c6458.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:232
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:4708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 456
  2⤵
  - Program crash
  PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 232 -ip 232
1⤵
PID:3136

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/232-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/232-2-0x0000000010410000-0x0000000010443000-memory.dmp

Filesize
204KB

Download
memory/232-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download