modiloader | 01ee00438aae21b9e5e71585ce24f95f99cd3f47cf8430bec99e590122b7c0e3

Analysis

max time kernel
68s
max time network
67s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01ee00438aae21b9e5e71585ce24f95f99cd3f47cf8430bec99e590122b7c0e3N.exe
Size

353KB
MD5

ee547d07a66ddee8cd8a89f5c7af17e0
SHA1

5fa01bd7b8b42f6c136a771c1323464514359253
SHA256

01ee00438aae21b9e5e71585ce24f95f99cd3f47cf8430bec99e590122b7c0e3
SHA512

519cfa9ebf588f3311d153d7c887f94991213e78e30d696da1b7b711419e3b3b83963553c923a1bb51728e9238e03373f5a93c85942b8e8ef9458f7e7783919b
SSDEEP

6144:VApv2TGV7drbndj93FK+BX2JagZfjhJkiZdkCGrAtDuWhXVf40gPbuykp:VApv2T8Bn3FsthawZGctB9gzyp

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2272-5-0x0000000000400000-0x0000000000520000-memory.dmp	modiloader_stage2

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2272 set thread context of 2700	2272	01ee00438aae21b9e5e71585ce24f95f99cd3f47cf8430bec99e590122b7c0e3N.exe	30

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\paramstr.txt	01ee00438aae21b9e5e71585ce24f95f99cd3f47cf8430bec99e590122b7c0e3N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01ee00438aae21b9e5e71585ce24f95f99cd3f47cf8430bec99e590122b7c0e3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{63AFEE81-7B02-11EF-BFE2-7E918DD97D05} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433405433"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2700	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2700	2272	01ee00438aae21b9e5e71585ce24f95f99cd3f47cf8430bec99e590122b7c0e3N.exe	30
PID 2272 wrote to memory of 2700	2272	01ee00438aae21b9e5e71585ce24f95f99cd3f47cf8430bec99e590122b7c0e3N.exe	30
PID 2272 wrote to memory of 2700	2272	01ee00438aae21b9e5e71585ce24f95f99cd3f47cf8430bec99e590122b7c0e3N.exe	30
PID 2272 wrote to memory of 2700	2272	01ee00438aae21b9e5e71585ce24f95f99cd3f47cf8430bec99e590122b7c0e3N.exe	30
PID 2272 wrote to memory of 2700	2272	01ee00438aae21b9e5e71585ce24f95f99cd3f47cf8430bec99e590122b7c0e3N.exe	30
PID 2700 wrote to memory of 2856	2700	IEXPLORE.EXE	31
PID 2700 wrote to memory of 2856	2700	IEXPLORE.EXE	31
PID 2700 wrote to memory of 2856	2700	IEXPLORE.EXE	31
PID 2700 wrote to memory of 2856	2700	IEXPLORE.EXE	31

C:\Users\Admin\AppData\Local\Temp\01ee00438aae21b9e5e71585ce24f95f99cd3f47cf8430bec99e590122b7c0e3N.exe
"C:\Users\Admin\AppData\Local\Temp\01ee00438aae21b9e5e71585ce24f95f99cd3f47cf8430bec99e590122b7c0e3N.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\program files\internet explorer\IEXPLORE.EXE
  "C:\program files\internet explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2700 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f8ae986433f2422ac0add38588d98fd

SHA1
6814e7419f261fa6f0f0b9fb9e560f502f038744

SHA256
794cda37970073df165391991b2486cf1122ebe8d8b2113bbe6860c0b71952f9

SHA512
629719152e525d9b4e7fc9b84ec451ee3bc57f088f6ad02f93ea3c6620ff6c844e801877b275a5a7f3149678b85ab0cc42351ef7ebb86ec5eb2fc17ecda64c16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc82e6d7eb81df0ce2f858fa01e8a4c4

SHA1
f8d6859887a66866536a5d9eae029d831f8ad59f

SHA256
5b3879ddca42abc4d5d447d5f70957cd3fdca56848c22c57f3421e936acd7183

SHA512
d034f852eb796a0aa3b93f4b04809a8f5818e311398b9b97f56261b9f78f4070e590e978fec42c010ee031f65d8a9e3e56186e8d6dfc7e41fd8c2d3888f058e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97376dd1d85306e71d950738852de5f9

SHA1
87f130686092d25fc905434a35ca887d1096acbc

SHA256
51c05ffe427abde606016a2603bc47f6d6faa48033f198a9f3dd114fe537c5e7

SHA512
28d0a5fd29431f94b2286fa212ede69c61e6925df49764a70799aa33ccd99dcf89fac99382b018ebfa9cda4285d68d65bf1ce7d1252dbb213ae2ee8f36581f8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b9c3ca9b0dd21468b12746b40a241f5

SHA1
a11923ea1f372380bfa887e38147cca06a021b22

SHA256
255e8e0366d91c7965e4e21aa4b2bf751f1b4ca153dc5f6f151e9e3ad6706b84

SHA512
3ea4ddbf5c31c480074c68d34b09edc516f83229cc5dfbac19079ce26b80b1eed9a089b797668bc4532a2edc6e134a5e72f9ce90a2978b87ff8bbcc40b3e8979

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9cac8c362c5154a7017d52ba20d3ec1

SHA1
2601d1314b33f3673a891e15a0fccb1e340fc29e

SHA256
df00a386e8127f169ee19057a2b77e74cab6eab94d3285038fe1f883331d556e

SHA512
98eef7972eaeb629eee25d29a22a7f3119b5a33a972483a678668f3a834fc195edada5c15856744a339621221ce06febb2f2ac39fc1cc931940c40a653c7c415

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23da73c3c2478e284e8feb683b7f4d30

SHA1
e6e0fae90ac38b6df4691079db010e8b022d5b5f

SHA256
1c9e134a777f77d4cc549a75fc1529413bf69deca82babc59fb80092377ba6b8

SHA512
23febd3b2fe01aaaa3f48a68496b2039a5cac26a200d1fd872c98c39a68aeaad92e7d327431a72266353f6a9979826e8571db859d47a9113e39b8bb24d34b930

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
768f69d8c06f1f06621c02aac78cb6f8

SHA1
d45bad42980dbad6b0ea29d4fef64dd32d2055ac

SHA256
ca01ab97b8d801804aa4fe6fd55d7e560a8d9d2b73fc4a561b24b90e63d32586

SHA512
ba635ecd88d7dbd62f872d301ddbe8fadcd27682d888adb713a1c548bfb6cddddcace5ec8755dd162e7acc01acf86b5de932b0720fbd06b7c235f01e7954ff65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5685463acddf91b8df0f9c67b2ed9a31

SHA1
241328d2cce992d100a2cee6e592892febaa40c2

SHA256
462cb95e60bd78546b3e21b7eea36e2ad7015e2ad83b830a4ecb125927c1116d

SHA512
e8816235388a77c5e1535229c22156e7078b095b02f09bf210aadfd689e608814c4116ece03259ab87b1c8994eb7dc4a48b698e37dd37ab25358acd7c60c8a49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69bb3a2d8988b00d02ca2b4492e65c5b

SHA1
7005239aa593613fc3992bc7c82d3be801e64023

SHA256
5bfb99495d9936047b8805752d3e78d07bb6a9b4900481e2c91873e51a145ee2

SHA512
037bc9c6bb632b53bf29b653d69ed353138791421d03af0e202a16eae95da4a10137feeb688ee1844b8a272ec511343daabb3df9d081f56f15c2d88cd72d53cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d39167a3b20e178eabf80b6ab1b6fee

SHA1
f4f08b6833a0f3b47caca478e95ad63c2937f6aa

SHA256
b957fa9ad04ec3cea01c69947661dc17f9dcde8467d8ecb513080172c5c5af80

SHA512
5541f778c0fa84d759cb030ca7e55ab5f7ca77e267f3b04246c2686578e38cc56d5ba0a7ba6125a49342be34052fa67a889f85ffeb10173df38c831725f8aefd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
287eb6534d4960704f42894cf7015b8d

SHA1
cf2b9dce7a3b20d40dd3254d2a781084049041b6

SHA256
76d5d59763c3cb0731d24050f056c9ab26fcfeb950fcd5b4727feadac5cce322

SHA512
848bb6e037036b23a5148985d34e862d108f399f52eae7892baa2256b943707d9be0f706400cb00e1b2081c0ea5d4ee5a28c68616e9ae4ac977a470a7216e1e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e6552609e7a9ab627725d9e463ca751

SHA1
7965706c23bd067c9c045a8666a327d61ed4c389

SHA256
63654d22d2a71939606f43e4605a22f0516dc3990c7b15ada6986840bd456656

SHA512
79c0c9b5f97786a7260c62d8970810b3e9c995b207079d43a6eb9abfdb194ee898b2305abe8a5eec24609ae4e41972597138be357e62e8d21ce8a792b55e78b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b35652b9f9fb7f50027a18ddfd679121

SHA1
683760bd353788f235c534f12bec365485f83542

SHA256
a795ff51b00b5640df371bff03d55b5d4b9f177f625cee6e719cf720c325c3c6

SHA512
a8c8a3dde5f35b07f398957830d263d83153ef0414b09d1fa8d55a7ac9c83f955cd793702f01a2dca8d0ab6f83517ed50c267c0f4f022062a6874c676e9911b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD6C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDDC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2272-5-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2272-2-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2272-1-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2272-0-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2700-4-0x0000000000270000-0x0000000000390000-memory.dmp

Filesize
1.1MB

Download