modiloader | 16b69225a2ff2864aa0dd9753b69f4e0c79985bea93edc8f235bb0bd8cee11c5

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

123.exe
Size

397KB
MD5

699e220e2f6c4b2ead0a3a2fc780b567
SHA1

760868038eef5a42011b298ef886588de142ea85
SHA256

16b69225a2ff2864aa0dd9753b69f4e0c79985bea93edc8f235bb0bd8cee11c5
SHA512

9f82b88e35e146068fa7cce058c66721ec7de03869d8595c7e9ae61852d0b9261efa9bf72eb6694701096bc159f2f703ea6e744c414b1fa183abdc6ddd8e6775
SSDEEP

6144:MLy84u9nSO2GjZkD10BIY3rb1YfBdfpoZ3u/Ht52w6JSeiFPXmg7:Y+u9nx2GjMY3XKfd/H/9Pr7

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4548-1-0x0000000000400000-0x000000000046A000-memory.dmp	modiloader_stage2

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

123.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\123.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\123.exe"	123.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

123.exe

pid	process
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe
4548	123.exe

C:\Users\Admin\AppData\Local\Temp\123.exe
"C:\Users\Admin\AppData\Local\Temp\123.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4548

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3212

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4548-0-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/4548-1-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download