modiloader | b254c1814f2a27b5befc90960f40a2a547cfe8e991fe07ed08c5057b42165ef2

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/03/2024, 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd02f4398c38deb43211111e7c725b60.exe
Size

383KB
MD5

cd02f4398c38deb43211111e7c725b60
SHA1

68b1dac7bd049ee452e76613dfc0f701b1de1b72
SHA256

b254c1814f2a27b5befc90960f40a2a547cfe8e991fe07ed08c5057b42165ef2
SHA512

78ce388e86be189f3894b3aa5b2d7d7a38aab5f4afe2c196ae5b0d347ac3df9eb557aa96476667e512fe7ceb2f3981ea8063c31cc5d48ea46f9fea38560a0d8d
SSDEEP

6144:KzO+ob7iGBCpdCNgHD0N0vaTMjpkFl+9u8Croad7zYoSZHk19jTBdEC1/:3+LGqMNgHQ3T6QlYeUoiE19jTcu/

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015be6-13.dat	modiloader_stage2
behavioral1/memory/1420-20-0x0000000000400000-0x0000000000466000-memory.dmp	modiloader_stage2
behavioral1/memory/2056-21-0x0000000000400000-0x0000000000466000-memory.dmp	modiloader_stage2
behavioral1/memory/1420-25-0x0000000000400000-0x0000000000466000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
2056	rascetrs.exe

Loads dropped DLL 2 IoCs

pid	Process
2600	WerFault.exe
2600	WerFault.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nacktio.sys	cd02f4398c38deb43211111e7c725b60.exe
File created	C:\Windows\SysWOW64\natrnie.sys	cd02f4398c38deb43211111e7c725b60.exe
File created	C:\Windows\SysWOW64\entarnoi.sys	cd02f4398c38deb43211111e7c725b60.exe
File created	C:\Windows\SysWOW64\critrfs.sys	cd02f4398c38deb43211111e7c725b60.exe
File created	C:\Windows\SysWOW64\rascetrs.exe	cd02f4398c38deb43211111e7c725b60.exe
File opened for modification	C:\Windows\SysWOW64\rascetrs.exe	cd02f4398c38deb43211111e7c725b60.exe
File created	C:\Windows\SysWOW64\ncpxa.DLL	cd02f4398c38deb43211111e7c725b60.exe
File created	C:\Windows\SysWOW64\nacktio.sys	rascetrs.exe
File opened for modification	C:\Windows\SysWOW64\critrfs.sys	cd02f4398c38deb43211111e7c725b60.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2600	2056	WerFault.exe	28

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2600	2056	rascetrs.exe	29
PID 2056 wrote to memory of 2600	2056	rascetrs.exe	29
PID 2056 wrote to memory of 2600	2056	rascetrs.exe	29
PID 2056 wrote to memory of 2600	2056	rascetrs.exe	29

C:\Users\Admin\AppData\Local\Temp\cd02f4398c38deb43211111e7c725b60.exe
"C:\Users\Admin\AppData\Local\Temp\cd02f4398c38deb43211111e7c725b60.exe"
1⤵
- Drops file in System32 directory
PID:1420

C:\Windows\SysWOW64\rascetrs.exe
C:\Windows\SysWOW64\rascetrs.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 132
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\entarnoi.sys

Filesize
17B

MD5
d39c71330772b00fdfc424d152358ce0

SHA1
22d5db4af2fc6e17e8d72a5ea6c7d1f603de282b

SHA256
fecd77375588f0d106055de4fa2e94d9c9676a07fdd97de7f467c7dfab2bcead

SHA512
7557361a0e600ad5f64f551b7700f40c4d995a5ac2d34cfbdbe34b154eb09c3c3126716b2bd56b2828b28dd6f6dc70927bb3ec6b580328804f867bb5b4fc15c8

Download Submit
C:\Windows\SysWOW64\nacktio.sys

Filesize
15B

MD5
40d42be372aef4d98307061d3d84ac8f

SHA1
b322bdd0e12eee768393b5b407a11ff0e9d5f201

SHA256
91e2e5f74556bee5d0916532362e4101cd8bb6616dc1cdcc3cba5b0beb748bc6

SHA512
d611ef49b78c4b5a4ac168175b265825e6110cf150a098c5b7b07a2aa6a9c0b54e0f9aa367d5194fbaf6cf1f3d8a58a2581c3be473e48c6202be5730ad1f3092

Download Submit
C:\Windows\SysWOW64\natrnie.sys

Filesize
8B

MD5
1cd653f3b4ef4fdbe3498860167f1f08

SHA1
8aadddfdcb3bde2c46ae10130aa0536c2c481fa0

SHA256
95a370282b6c2dff5a626eb71e6fa4f4a1b7559c58ec34d3cbb44af4a57cffb3

SHA512
3fc59e2069e45ba80d670229b671c0523244847e5716e03ba89b7435738bd9c0caa40d4c6c2cf47c7afed232ddd41fcae559b1b1e378e4d192d7becd75f3be9b

Download Submit
C:\Windows\SysWOW64\rascetrs.exe

Filesize
383KB

MD5
cd02f4398c38deb43211111e7c725b60

SHA1
68b1dac7bd049ee452e76613dfc0f701b1de1b72

SHA256
b254c1814f2a27b5befc90960f40a2a547cfe8e991fe07ed08c5057b42165ef2

SHA512
78ce388e86be189f3894b3aa5b2d7d7a38aab5f4afe2c196ae5b0d347ac3df9eb557aa96476667e512fe7ceb2f3981ea8063c31cc5d48ea46f9fea38560a0d8d

Download Submit
memory/1420-20-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1420-25-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2056-21-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download