modiloader | 8d14a58eab0de8aca7cad6b91064e0585dd59a97e4b87239d1a7be703e588ae6

Analysis

max time kernel
140s
max time network
125s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30-05-2024 23:11

Target

6c6f37ce5c7b8b7a0a0bbc59c1480b60_NeikiAnalytics.dll
Size

144KB
MD5

6c6f37ce5c7b8b7a0a0bbc59c1480b60
SHA1

a0c04ed35c13147be92c6126aedae6daa066a6b3
SHA256

8d14a58eab0de8aca7cad6b91064e0585dd59a97e4b87239d1a7be703e588ae6
SHA512

cecec39886230fb5eca8f35783b9b4af2171a47d66cfbd170003a84ea7963b4f03191d8a6e4281cd1f17195fd9473e5759c8219dde655ffaea97b2c66c662d71
SSDEEP

3072:IWQhfw25OtOj/1c/8GJI2v874kKRtX24rzbK02qYmLi3ivrWz:IW52sCcH61Q24HO02qYSi3iq

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1896-0-0x0000000000140000-0x000000000016C000-memory.dmp	modiloader_stage2
behavioral1/memory/1896-1-0x0000000000140000-0x000000000016C000-memory.dmp	modiloader_stage2

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2744 1896 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2744	1896	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1692 wrote to memory of 1896	1692	rundll32.exe	rundll32.exe
PID 1692 wrote to memory of 1896	1692	rundll32.exe	rundll32.exe
PID 1692 wrote to memory of 1896	1692	rundll32.exe	rundll32.exe
PID 1692 wrote to memory of 1896	1692	rundll32.exe	rundll32.exe
PID 1692 wrote to memory of 1896	1692	rundll32.exe	rundll32.exe
PID 1692 wrote to memory of 1896	1692	rundll32.exe	rundll32.exe
PID 1692 wrote to memory of 1896	1692	rundll32.exe	rundll32.exe
PID 1896 wrote to memory of 2744	1896	rundll32.exe	WerFault.exe
PID 1896 wrote to memory of 2744	1896	rundll32.exe	WerFault.exe
PID 1896 wrote to memory of 2744	1896	rundll32.exe	WerFault.exe
PID 1896 wrote to memory of 2744	1896	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6c6f37ce5c7b8b7a0a0bbc59c1480b60_NeikiAnalytics.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6c6f37ce5c7b8b7a0a0bbc59c1480b60_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 248
3⤵
- Program crash
PID:2744

memory/1896-0-0x0000000000140000-0x000000000016C000-memory.dmp

Filesize
176KB

Download
memory/1896-1-0x0000000000140000-0x000000000016C000-memory.dmp

Filesize
176KB

Download