modiloader | 8d14a58eab0de8aca7cad6b91064e0585dd59a97e4b87239d1a7be703e588ae6

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 23:11

Target

6c6f37ce5c7b8b7a0a0bbc59c1480b60_NeikiAnalytics.dll
Size

144KB
MD5

6c6f37ce5c7b8b7a0a0bbc59c1480b60
SHA1

a0c04ed35c13147be92c6126aedae6daa066a6b3
SHA256

8d14a58eab0de8aca7cad6b91064e0585dd59a97e4b87239d1a7be703e588ae6
SHA512

cecec39886230fb5eca8f35783b9b4af2171a47d66cfbd170003a84ea7963b4f03191d8a6e4281cd1f17195fd9473e5759c8219dde655ffaea97b2c66c662d71
SSDEEP

3072:IWQhfw25OtOj/1c/8GJI2v874kKRtX24rzbK02qYmLi3ivrWz:IW52sCcH61Q24HO02qYSi3iq

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4816-0-0x0000000000400000-0x000000000042C000-memory.dmp	modiloader_stage2

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2352 4816 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2352	4816	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3336 wrote to memory of 4816	3336	rundll32.exe	rundll32.exe
PID 3336 wrote to memory of 4816	3336	rundll32.exe	rundll32.exe
PID 3336 wrote to memory of 4816	3336	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6c6f37ce5c7b8b7a0a0bbc59c1480b60_NeikiAnalytics.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3336

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6c6f37ce5c7b8b7a0a0bbc59c1480b60_NeikiAnalytics.dll,#1
2⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 672
3⤵
- Program crash
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4816 -ip 4816
1⤵
PID:4168

memory/4816-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download