modiloader | e723ee615d7a64e918ab185b645324a0cb1b376302d33b54995b54da39be51f3

Analysis

max time kernel
157s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

autoss.exe
Size

2.1MB
MD5

da4e0703a34085c2fa77d86492273381
SHA1

6905a25afa412c21528fa601c121c957d0436248
SHA256

41064f46efbd85824697f4675ff6d70e9b47107891fcc5a966361deb370a70cf
SHA512

98d339c8e915f8d967641eafc22ee14216a9d5dd61e660d0aba557af622667b52eeacb9d54a043b04bae6079937986d4b7ad219077ceea348de328b6520d6327
SSDEEP

24576:IbYUSrlwjSVB9y81hXlEM2Iu9VYRj/1rRiVzC2:Is3zy4u9WD1twzC

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

Processes:

resource	yara_rule
behavioral16/memory/4572-1-0x0000000000400000-0x0000000000615000-memory.dmp	modiloader_stage2
behavioral16/memory/4572-4-0x0000000000400000-0x0000000000615000-memory.dmp	modiloader_stage2
behavioral16/memory/4572-9-0x0000000000400000-0x0000000000615000-memory.dmp	modiloader_stage2
behavioral16/memory/4572-18-0x0000000000400000-0x0000000000615000-memory.dmp	modiloader_stage2

Modifies registry class 6 IoCs

Processes:

autoss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	autoss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B2178DF1-BDA4-421D-B03E-EA1B3A25F281}	autoss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B2178DF1-BDA4-421D-B03E-EA1B3A25F281}\Info	autoss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B2178DF1-BDA4-421D-B03E-EA1B3A25F281}\Info\Data = 0000000057d0d794340000c018fb1900e802000000000000dcf919002c2ba4775cfb190040ada477f7ef63e3feffffffe4fa190018552077340000c000000000a8fb19002555207740fb1900000002000c00000048fb190000000000e8020000020000004c00190000000000000000004cfa1900902a740000000000fa3944c3e20b000014201208dc00ab979cfa19000c5c0200fae96704b0fa1900010000009cfa19003c0000002baada011cd2189900000000fae96704b0fa190004000000a7010000e4fa1900c6cd007740fb19008cfb190008124302e8070500130014001f003a00ca0300001cd218992baada010800000000000000000000000000000000000000000000000000000024fb1900b7e5217700fb19000cfb190040fb1900982d410205e621771cd218992baada012000fe7fe8070500130014001f003a00ca0300009c7a8eb7e0debbc078fb190051e5217740fb1900982d410208124302081243020000000005000000130097b71f00e640fae967040500000178fb1900cfa5400070fb1900ca031900982d41020812430204322e3030392e0b9d60eb3f1e00000060aa4000ca0319002e0b9d602e0b9d60bb32e6400000130014001f00	autoss.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{B2178DF1-BDA4-421D-B03E-EA1B3A25F281}\Info	autoss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	autoss.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

autoss.exe

description	pid	process
Token: 33	4572	autoss.exe
Token: SeIncBasePriorityPrivilege	4572	autoss.exe
Token: 33	4572	autoss.exe
Token: SeIncBasePriorityPrivilege	4572	autoss.exe
Token: 33	4572	autoss.exe
Token: SeIncBasePriorityPrivilege	4572	autoss.exe
Token: 33	4572	autoss.exe
Token: SeIncBasePriorityPrivilege	4572	autoss.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

autoss.exe

pid process

4572 autoss.exe
4572 autoss.exe
4572 autoss.exe
4572 autoss.exe
4572 autoss.exe
4572 autoss.exe
4572 autoss.exe
4572 autoss.exe
4572 autoss.exe
Suspicious use of SendNotifyMessage 9 IoCs

Processes:

autoss.exe

pid process

4572 autoss.exe
4572 autoss.exe
4572 autoss.exe
4572 autoss.exe
4572 autoss.exe
4572 autoss.exe
4572 autoss.exe
4572 autoss.exe
4572 autoss.exe

pid	process
4572	autoss.exe
4572	autoss.exe
4572	autoss.exe
4572	autoss.exe
4572	autoss.exe
4572	autoss.exe
4572	autoss.exe
4572	autoss.exe
4572	autoss.exe

pid	process
4572	autoss.exe
4572	autoss.exe
4572	autoss.exe
4572	autoss.exe
4572	autoss.exe
4572	autoss.exe
4572	autoss.exe
4572	autoss.exe
4572	autoss.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

autoss.exe

description	pid	process	target process
PID 4572 wrote to memory of 1444	4572	autoss.exe	cmd.exe
PID 4572 wrote to memory of 1444	4572	autoss.exe	cmd.exe
PID 4572 wrote to memory of 1444	4572	autoss.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\autoss.exe
"C:\Users\Admin\AppData\Local\Temp\autoss.exe"
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\~RomDmp1\RomDump.com > C:\Users\Admin\AppData\Local\Temp\~RomDmp1\Rom.dmp
  2⤵
  PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:5012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wake.ini

Filesize
67B

MD5
97bb424f9b87f82837c052ac0492854a

SHA1
5cbda78e812bdae84eb528489e63127e04ae9c59

SHA256
8b844e87344f777a6c6d555484c958c81256fea9f8c4dccb8b7323935eda502c

SHA512
9553cee58331de204feb5b29514952033f582dc433d779b890c70aaf856f50153964da7cc8c3ffef855b0237a50271ef7d14b47db98f1a64a3fa6187f48d33a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~RomDmp1\RomDump.com

Filesize
46B

MD5
74ea83a987cf7e29fe79b16b15b4bbed

SHA1
452a79ee1211fad2efdfaf203e4b092f937208fc

SHA256
9b327617c8c6fc6c70b7ada3ea40edcb143f0925d0c33fbb8a0a366020deed9d

SHA512
35334ba33584b60b2774a4404706d88382b4ab647a3e9afe231e7910246c6fb851a2ae860652771fe2809e40abdc922d75f08616b8dc1ea16e2eefa572000355

Download Submit
memory/4572-0-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/4572-1-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/4572-4-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/4572-9-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/4572-10-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/4572-18-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download