modiloader | 98f0a95b821db0ee09af459cadefd860d332f635ea6021f148709fbbf78cc1bc

Analysis

max time kernel
1800s
max time network
1563s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

285KB
MD5

e9f2c106d42f4f0927de8bfa674bef16
SHA1

48f570ef7138ead6607493c9cddc874041d7b277
SHA256

d03f854fb903665514fbaf7a3d3d93c9644a3c6bd2fb4b01d4a2f5d9b299533f
SHA512

31725dd0841d52ef53625f592a586be9c479a1d37b615917bf6d56af223da503834291e4db44693fcdde7b390007e38b7f472c99bc31bb50eb2ba3917cec28a2
SSDEEP

6144:rsJBOMz6Yjddeym2cMLzvJtb7YzDh/U8IHj7PRJz:Y36YncqvJtH0e8IHXRJ

Score

10^/10

modiloader persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/3048-2-0x0000000000400000-0x000000000047F000-memory.dmp	modiloader_stage2
behavioral1/memory/3048-4-0x0000000000400000-0x000000000047F000-memory.dmp	modiloader_stage2

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3048-0-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral1/memory/3048-2-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral1/memory/3048-4-0x0000000000400000-0x000000000047F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1.exe"	1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe
3048	1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3048	1.exe

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:3048

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3048-0-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3048-1-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/3048-2-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3048-3-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3048-4-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3048-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download