modiloader | 0cf9c23889403841c57502186fa298eed863d4cb55d089256b699c8913de3581

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cf9c23889403841c57502186fa298eed863d4cb55d089256b699c8913de3581N.exe
Size

666KB
MD5

e4adecdfb24eba846689b4affcca8b30
SHA1

4151ca803516cd9560b0d26fdab8e0312d669e4e
SHA256

0cf9c23889403841c57502186fa298eed863d4cb55d089256b699c8913de3581
SHA512

0676eda6a371877d354e583f911c2ed9fbfc981f2aa62d5ae042bd1d82c796ca0232f4168877985be18c6bdc35416dc71dad5ee570e1e37bfd3dc3d2d135aecd
SSDEEP

12288:Uf1Ks4SjTyICxkawPKCkJ+4rP9tVo4DbF3Z4mxxeoEtlK+kt9T2MVuSE:U9KsH5sXwPp2+UPx5QmXXGhF

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/2800-80-0x0000000000400000-0x00000000004BC000-memory.dmp	modiloader_stage2
behavioral1/memory/1860-88-0x0000000000400000-0x00000000004BC000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
1860	1.exe
2800	win26.exe

Loads dropped DLL 4 IoCs

pid	Process
576	0cf9c23889403841c57502186fa298eed863d4cb55d089256b699c8913de3581N.exe
576	0cf9c23889403841c57502186fa298eed863d4cb55d089256b699c8913de3581N.exe
1860	1.exe
1860	1.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\win26.exe	1.exe
File opened for modification	C:\Windows\SysWOW64\win26.exe	win26.exe
File created	C:\Windows\SysWOW64\SetupDel.bat	1.exe
File created	C:\Windows\SysWOW64\win26.exe	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win26.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cf9c23889403841c57502186fa298eed863d4cb55d089256b699c8913de3581N.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 1860	576	0cf9c23889403841c57502186fa298eed863d4cb55d089256b699c8913de3581N.exe	31
PID 576 wrote to memory of 1860	576	0cf9c23889403841c57502186fa298eed863d4cb55d089256b699c8913de3581N.exe	31
PID 576 wrote to memory of 1860	576	0cf9c23889403841c57502186fa298eed863d4cb55d089256b699c8913de3581N.exe	31
PID 576 wrote to memory of 1860	576	0cf9c23889403841c57502186fa298eed863d4cb55d089256b699c8913de3581N.exe	31
PID 1860 wrote to memory of 2800	1860	1.exe	32
PID 1860 wrote to memory of 2800	1860	1.exe	32
PID 1860 wrote to memory of 2800	1860	1.exe	32
PID 1860 wrote to memory of 2800	1860	1.exe	32
PID 1860 wrote to memory of 2556	1860	1.exe	33
PID 1860 wrote to memory of 2556	1860	1.exe	33
PID 1860 wrote to memory of 2556	1860	1.exe	33
PID 1860 wrote to memory of 2556	1860	1.exe	33
PID 1860 wrote to memory of 2556	1860	1.exe	33
PID 1860 wrote to memory of 2556	1860	1.exe	33
PID 1860 wrote to memory of 2556	1860	1.exe	33

C:\Users\Admin\AppData\Local\Temp\0cf9c23889403841c57502186fa298eed863d4cb55d089256b699c8913de3581N.exe
"C:\Users\Admin\AppData\Local\Temp\0cf9c23889403841c57502186fa298eed863d4cb55d089256b699c8913de3581N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:576
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\SysWOW64\win26.exe
    C:\Windows\system32\win26.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\SetupDel.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\SetupDel.bat

Filesize
122B

MD5
d15f7378cdf005521f5e4089d5aaa8f2

SHA1
26f89a668c5b5942fdb53edfeb4c6654d1a64197

SHA256
c40b64dbde2d7a5ca1d04cd91b3974efb87ea126f1d9085c207b114fd1b74338

SHA512
49f280c5246cc3919129ef661f7e06830f37fcc6f324c1f8faa7156489001e33acbc0aa87df9a65eaa5751538feea708373b818c501c7afe2cad189834305137

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
352KB

MD5
0fd10ec30b16d6bd64d7d73d9af8ff1e

SHA1
b24257dc6be322da960934ec1fde9be1aa44a527

SHA256
9376122b43ab5fc856b934a17d3b92f84423f8cc0c722940b9aa3fd2e50dbbcc

SHA512
ad9e6361515110d1f9763d9ccc1aabc8b9016b82ab00e4d285c5589fadeb51e260fed58afce70165e6205eed627d2beae5fb33d9c5980a2b8766f94c3df119e0

Download Submit
memory/576-0-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/576-1-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/576-16-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/576-50-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/576-49-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/576-48-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/576-47-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/576-46-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/576-45-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/576-44-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/576-43-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/576-42-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/576-41-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/576-40-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/576-39-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/576-38-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/576-37-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/576-36-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/576-35-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/576-34-0x0000000001E20000-0x0000000001E21000-memory.dmp

Filesize
4KB

Download
memory/576-33-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/576-32-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/576-31-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/576-30-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/576-29-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/576-28-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/576-27-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/576-26-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/576-25-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/576-24-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/576-23-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/576-22-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/576-21-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/576-20-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/576-19-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/576-18-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/576-17-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/576-15-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/576-14-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/576-13-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/576-12-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/576-11-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/576-10-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/576-9-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/576-8-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/576-7-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/576-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/576-5-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/576-4-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/576-3-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/576-2-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/576-51-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/576-52-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/576-55-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/576-58-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/576-56-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/576-54-0x00000000031C0000-0x00000000031C2000-memory.dmp

Filesize
8KB

Download
memory/576-53-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/576-68-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1860-88-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2800-80-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download