modiloader | 76af8cf5846c6addfc9049cde063bbee8c0353bc0870c5080ad37a41a9aab1a3

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER REF 47806798 PSMCO.exe
Size

1.0MB
MD5

0c30c6e44c595afef7d8e5209e6c21cd
SHA1

9ad384a291bcb187a770826c9b4524ded9d4ce33
SHA256

76af8cf5846c6addfc9049cde063bbee8c0353bc0870c5080ad37a41a9aab1a3
SHA512

2ecd6746865cb88457f3e60445fbb5a790a9df84ca1d00acdd5124eea986e17e61d2dbe6b236d7b40691c7ff3a2f473508bb7b4299575b14b6124e64b905d543
SSDEEP

24576:ZVb5KPAdOzVmG3zd+eIDT8Jf3pbV13Jks:ZVhOhd+eI8t5X

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 61 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1764-2-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-12-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-76-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-73-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-70-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-67-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-64-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-58-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-53-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-55-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-52-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-50-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-48-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-47-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-45-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-43-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-42-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-38-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-35-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-34-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-32-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-30-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-27-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-24-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-23-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-20-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-18-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-17-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-15-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-14-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-62-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-59-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-60-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-57-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-56-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-54-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-51-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-49-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-46-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-44-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-41-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-40-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-39-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-37-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-36-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-33-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-31-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-29-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-28-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-26-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-25-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-22-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-21-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-19-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-16-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-13-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-11-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-10-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-9-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-8-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-7-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2324 1764 WerFault.exe ORDER REF 47806798 PSMCO.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

ORDER REF 47806798 PSMCO.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ORDER REF 47806798 PSMCO.exe

pid	pid_target	process	target process
2324	1764	WerFault.exe	ORDER REF 47806798 PSMCO.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ORDER REF 47806798 PSMCO.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

ORDER REF 47806798 PSMCO.exe

description	pid	process	target process
PID 1764 wrote to memory of 2324	1764	ORDER REF 47806798 PSMCO.exe	WerFault.exe
PID 1764 wrote to memory of 2324	1764	ORDER REF 47806798 PSMCO.exe	WerFault.exe
PID 1764 wrote to memory of 2324	1764	ORDER REF 47806798 PSMCO.exe	WerFault.exe
PID 1764 wrote to memory of 2324	1764	ORDER REF 47806798 PSMCO.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ORDER REF 47806798 PSMCO.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER REF 47806798 PSMCO.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 696
  2⤵
  - Program crash
  PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1764-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1764-1-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-2-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1764-4-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/1764-12-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-76-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-73-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-70-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-67-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-64-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-58-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-53-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-55-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-52-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-50-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-48-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-47-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-45-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-43-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-42-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-38-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-35-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-34-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-32-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-30-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-27-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-24-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-23-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-20-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-18-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-17-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-15-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-14-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-62-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-59-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-60-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-57-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-56-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-54-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-51-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-49-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-46-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-44-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-41-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-40-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-39-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-37-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-36-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-33-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-31-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-29-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-28-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-26-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-25-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-22-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-21-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-19-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-16-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-13-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-11-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-10-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-9-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-8-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/1764-7-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download