modiloader | 2fd32685ea00eae9c4b1701a63807b27a8583a8cf266a19597105a8255d19fad

Analysis

max time kernel
153s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

autoss.exe
Size

2.1MB
MD5

da4e0703a34085c2fa77d86492273381
SHA1

6905a25afa412c21528fa601c121c957d0436248
SHA256

41064f46efbd85824697f4675ff6d70e9b47107891fcc5a966361deb370a70cf
SHA512

98d339c8e915f8d967641eafc22ee14216a9d5dd61e660d0aba557af622667b52eeacb9d54a043b04bae6079937986d4b7ad219077ceea348de328b6520d6327
SSDEEP

24576:IbYUSrlwjSVB9y81hXlEM2Iu9VYRj/1rRiVzC2:Is3zy4u9WD1twzC

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral16/memory/2384-3-0x0000000000400000-0x0000000000615000-memory.dmp	modiloader_stage2
behavioral16/memory/2384-15-0x0000000000400000-0x0000000000615000-memory.dmp	modiloader_stage2
behavioral16/memory/2384-24-0x0000000000400000-0x0000000000615000-memory.dmp	modiloader_stage2

Modifies registry class 6 IoCs

Processes:

autoss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B2178DF1-BDA4-421D-B03E-EA1B3A25F281}	autoss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B2178DF1-BDA4-421D-B03E-EA1B3A25F281}\Info	autoss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B2178DF1-BDA4-421D-B03E-EA1B3A25F281}\Info\Data = 000000006a4075ad340000c018fb1900e402000000000000dcf919002c2bfc765cfb190040adfc76ca7f69dafeffffffe4fa19001855bd75340000c000000000a8fb19002555bd7540fb1900000002000c00000048fb190000000000e4020000020000004c00190000000000000000004cfa1900902a660000000000abfea698e20b000014201208788d91769cfa1900045c0200ab8efd02b0fa1900010000009cfa19003c000000aaa3da01d11b3cfb00000000ab8efd02b0fa190004000000a7010000e4fa1900c6cd007640fb19008cfb190008124802e80705000b000d0038000b0033020600d11b3cfbaaa3da010800000000000000000000000000000000000000000000000000000024fb1900b7e5be7500fb19000cfb190040fb1900982d460205e6be75d11b3cfbaaa3da012000fe7fe80705000b000d0038000b0033020600a91caa36d5b87a4378fb190051e5be7540fb1900982d4602081248020812480200000000050000000b00b3363800e640ab8efd020500000178fb1900cfa5400070fb190033021900982d46020812480204322e3030098fe80195e23f1e00000060aa4000330219008fe801958fe80195b231e64006000b000d003800	autoss.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{B2178DF1-BDA4-421D-B03E-EA1B3A25F281}\Info	autoss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	autoss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	autoss.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

autoss.exe

description	pid	process
Token: 33	2384	autoss.exe
Token: SeIncBasePriorityPrivilege	2384	autoss.exe
Token: 33	2384	autoss.exe
Token: SeIncBasePriorityPrivilege	2384	autoss.exe
Token: 33	2384	autoss.exe
Token: SeIncBasePriorityPrivilege	2384	autoss.exe
Token: 33	2384	autoss.exe
Token: SeIncBasePriorityPrivilege	2384	autoss.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

autoss.exe

pid process

2384 autoss.exe
2384 autoss.exe
2384 autoss.exe
2384 autoss.exe
2384 autoss.exe
2384 autoss.exe
2384 autoss.exe
2384 autoss.exe
2384 autoss.exe
Suspicious use of SendNotifyMessage 9 IoCs

Processes:

autoss.exe

pid process

2384 autoss.exe
2384 autoss.exe
2384 autoss.exe
2384 autoss.exe
2384 autoss.exe
2384 autoss.exe
2384 autoss.exe
2384 autoss.exe
2384 autoss.exe

pid	process
2384	autoss.exe
2384	autoss.exe
2384	autoss.exe
2384	autoss.exe
2384	autoss.exe
2384	autoss.exe
2384	autoss.exe
2384	autoss.exe
2384	autoss.exe

pid	process
2384	autoss.exe
2384	autoss.exe
2384	autoss.exe
2384	autoss.exe
2384	autoss.exe
2384	autoss.exe
2384	autoss.exe
2384	autoss.exe
2384	autoss.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

autoss.exe

description	pid	process	target process
PID 2384 wrote to memory of 1896	2384	autoss.exe	cmd.exe
PID 2384 wrote to memory of 1896	2384	autoss.exe	cmd.exe
PID 2384 wrote to memory of 1896	2384	autoss.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\autoss.exe
"C:\Users\Admin\AppData\Local\Temp\autoss.exe"
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\~RomDmp1\RomDump.com > C:\Users\Admin\AppData\Local\Temp\~RomDmp1\Rom.dmp
2⤵
PID:1896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5424 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:1504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wake.ini
Filesize
67B

MD5
97bb424f9b87f82837c052ac0492854a

SHA1
5cbda78e812bdae84eb528489e63127e04ae9c59

SHA256
8b844e87344f777a6c6d555484c958c81256fea9f8c4dccb8b7323935eda502c

SHA512
9553cee58331de204feb5b29514952033f582dc433d779b890c70aaf856f50153964da7cc8c3ffef855b0237a50271ef7d14b47db98f1a64a3fa6187f48d33a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wake.ini
Filesize
53B

MD5
e4f2b39c347c092bb1af852cec8a19af

SHA1
e2e0873d600e7eeacbad5467d66ec0cdd57ec673

SHA256
8ab7a67931e8ab579c5b826ee9fd0a818b52b8330b9766782f8c3deba3b97c5c

SHA512
543dcb794956f848cb0a871b6d10e75042c42d69e8b34e41d7fb2c4c5a425fd66d0524f09b3cae5e10f8703ca76e54cf383114c5ba747fc4c3cf40082248d26f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~RomDmp1\RomDump.com
Filesize
46B

MD5
74ea83a987cf7e29fe79b16b15b4bbed

SHA1
452a79ee1211fad2efdfaf203e4b092f937208fc

SHA256
9b327617c8c6fc6c70b7ada3ea40edcb143f0925d0c33fbb8a0a366020deed9d

SHA512
35334ba33584b60b2774a4404706d88382b4ab647a3e9afe231e7910246c6fb851a2ae860652771fe2809e40abdc922d75f08616b8dc1ea16e2eefa572000355

Download Submit
memory/2384-0-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/2384-3-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/2384-15-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/2384-17-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/2384-24-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download