modiloader | 0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/03/2024, 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe
Size

308KB
MD5

49e73113b097f9dfbd0859ebb504645b
SHA1

108f6cc83f6129f3c3af63ea3008ee353ab42ef9
SHA256

0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b
SHA512

06b250911a0945af9f1fe6eeabee6bf2cabf59c7d6c748145457c6ce73459ca44c87e90fac55721d2b74066b5aca15c1e8521e6e216fe8a0a1bcfccb7e9bb1c4
SSDEEP

3072:/c3sBG7mXh7m/zZM3jAbNOM6CNtDCZFL:E3sBz0Z4Mj72F

Score

10^/10

modiloader persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Detects Windows executables referencing non-Windows User-Agents 2 IoCs

resource	yara_rule
behavioral1/memory/2396-295426-0x0000000000400000-0x0000000000414000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2396-295434-0x0000000000400000-0x0000000000414000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/2396-295426-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/2396-295434-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2

UPX dump on OEP (original entry point) 11 IoCs

resource	yara_rule
behavioral1/memory/1132-147668-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/1132-147672-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/1132-147674-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/1132-147676-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/1132-147677-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/1132-165249-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/2396-295420-0x0000000000400000-0x0000000000414000-memory.dmp	UPX
behavioral1/memory/1132-295424-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/2396-295426-0x0000000000400000-0x0000000000414000-memory.dmp	UPX
behavioral1/memory/2316-295431-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/2396-295434-0x0000000000400000-0x0000000000414000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

pid	Process
1064	csrsll.exe
2316	csrsll.exe
2396	csrsll.exe

Loads dropped DLL 5 IoCs

pid	Process
1132	0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe
1132	0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe
1132	0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe
1132	0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe
1132	0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1132-147665-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1132-147668-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1132-147672-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1132-147674-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1132-147676-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1132-147677-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1132-165249-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2396-295420-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1132-295424-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2396-295426-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2316-295431-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2396-295434-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win Pdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrsll.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1996 set thread context of 1132	1996	0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe	29
PID 1064 set thread context of 2316	1064	csrsll.exe	35
PID 1064 set thread context of 2396	1064	csrsll.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	csrsll.exe
Token: SeDebugPrivilege	2316	csrsll.exe
Token: SeDebugPrivilege	2316	csrsll.exe
Token: SeDebugPrivilege	2316	csrsll.exe
Token: SeDebugPrivilege	2316	csrsll.exe
Token: SeDebugPrivilege	2316	csrsll.exe
Token: SeDebugPrivilege	2316	csrsll.exe
Token: SeDebugPrivilege	2316	csrsll.exe
Token: SeDebugPrivilege	2316	csrsll.exe
Token: SeDebugPrivilege	2316	csrsll.exe
Token: SeDebugPrivilege	2316	csrsll.exe
Token: SeDebugPrivilege	2316	csrsll.exe
Token: SeDebugPrivilege	2316	csrsll.exe
Token: SeDebugPrivilege	2316	csrsll.exe
Token: SeDebugPrivilege	2316	csrsll.exe
Token: SeDebugPrivilege	2316	csrsll.exe
Token: SeDebugPrivilege	2316	csrsll.exe
Token: SeDebugPrivilege	2316	csrsll.exe
Token: SeDebugPrivilege	2316	csrsll.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1996	0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe
1132	0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe
1064	csrsll.exe
2316	csrsll.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1132	1996	0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe	29
PID 1996 wrote to memory of 1132	1996	0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe	29
PID 1996 wrote to memory of 1132	1996	0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe	29
PID 1996 wrote to memory of 1132	1996	0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe	29
PID 1996 wrote to memory of 1132	1996	0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe	29
PID 1996 wrote to memory of 1132	1996	0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe	29
PID 1996 wrote to memory of 1132	1996	0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe	29
PID 1996 wrote to memory of 1132	1996	0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe	29
PID 1132 wrote to memory of 2024	1132	0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe	31
PID 1132 wrote to memory of 2024	1132	0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe	31
PID 1132 wrote to memory of 2024	1132	0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe	31
PID 1132 wrote to memory of 2024	1132	0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe	31
PID 2024 wrote to memory of 700	2024	cmd.exe	33
PID 2024 wrote to memory of 700	2024	cmd.exe	33
PID 2024 wrote to memory of 700	2024	cmd.exe	33
PID 2024 wrote to memory of 700	2024	cmd.exe	33
PID 1132 wrote to memory of 1064	1132	0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe	34
PID 1132 wrote to memory of 1064	1132	0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe	34
PID 1132 wrote to memory of 1064	1132	0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe	34
PID 1132 wrote to memory of 1064	1132	0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe	34
PID 1064 wrote to memory of 2316	1064	csrsll.exe	35
PID 1064 wrote to memory of 2316	1064	csrsll.exe	35
PID 1064 wrote to memory of 2316	1064	csrsll.exe	35
PID 1064 wrote to memory of 2316	1064	csrsll.exe	35
PID 1064 wrote to memory of 2316	1064	csrsll.exe	35
PID 1064 wrote to memory of 2316	1064	csrsll.exe	35
PID 1064 wrote to memory of 2316	1064	csrsll.exe	35
PID 1064 wrote to memory of 2316	1064	csrsll.exe	35
PID 1064 wrote to memory of 2396	1064	csrsll.exe	36
PID 1064 wrote to memory of 2396	1064	csrsll.exe	36
PID 1064 wrote to memory of 2396	1064	csrsll.exe	36
PID 1064 wrote to memory of 2396	1064	csrsll.exe	36
PID 1064 wrote to memory of 2396	1064	csrsll.exe	36
PID 1064 wrote to memory of 2396	1064	csrsll.exe	36
PID 1064 wrote to memory of 2396	1064	csrsll.exe	36
PID 1064 wrote to memory of 2396	1064	csrsll.exe	36

C:\Users\Admin\AppData\Local\Temp\0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe
"C:\Users\Admin\AppData\Local\Temp\0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe
  "C:\Users\Admin\AppData\Local\Temp\0b6b9ac7591582a1249f1859902e6814eb2c184875cf722f6e4daaf52166fc5b.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\EAXVN.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f
      4⤵
      Adds Run key to start application
      PID:700
- - C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2316
  - - C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
      4⤵
      Executes dropped EXE
      PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EAXVN.bat

Filesize
145B

MD5
4eb61ec7816c34ec8c125acadc57ec1b

SHA1
b0015cc865c0bb1a027be663027d3829401a31cc

SHA256
08375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff

SHA512
f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

Filesize
64KB

MD5
13e4ac5b4f3539418d94ae745decd0c9

SHA1
498a71bb5d091487c5438ac0dd4099ad7b1c53cd

SHA256
4a69c9ce7bd54f7082d1882748e1c2660fc0a3f4fef247a1a2b9d6ca995f08fb

SHA512
39a5b99bd70c8f88285467d7030b269e19dcbc9f7eb3343ad729cc4e140687e6de8f0c135d7c133522bb0c220e70dc1d71aea0859f4926d0251827a698236309

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

Filesize
308KB

MD5
cfa256443329631e509989cdc2f76f4a

SHA1
c8a57519c8fba15523e7382f01f2e205c59b409b

SHA256
6c15e114bb54c19297d06757329a1ba42d54502d55bde45119f2ad1c9a863b7a

SHA512
1f84b39947bbf588d3133e2ab59c536a38a59b066eb63512a4b69d06da0754d811dd6544e49f1cf8fd957d3d4053dde6de5e96ca16de10ef4a3e77b789de8980

Download Submit
memory/1064-295409-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1064-295386-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1064-295389-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1064-206023-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1064-147717-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1132-147677-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1132-147665-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1132-147674-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1132-147676-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1132-295424-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1132-147670-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1132-147668-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1132-147662-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1132-165249-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1132-147672-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1996-147664-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/1996-147666-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/1996-71388-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1996-3-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1996-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2316-295431-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2396-295420-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2396-295426-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2396-295434-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads