modiloader | 8f5936f3ebe5598bea2c561c4dc118eeb836ad393ec11e4ccfd9fde43a461cd8

Analysis

max time kernel
2s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-11-2024 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f5936f3ebe5598bea2c561c4dc118eeb836ad393ec11e4ccfd9fde43a461cd8.exe
Size

338KB
MD5

a6bdcd6f1b10c86b88f8be60b25f29b1
SHA1

ab2840ed40b083ccf1e4045e93d3095530239587
SHA256

8f5936f3ebe5598bea2c561c4dc118eeb836ad393ec11e4ccfd9fde43a461cd8
SHA512

31f3d3bc5cd507f4e5c04db5bf23b2f8f1e67905e5d9a0be929e0617b01c47a5bdefc50f89adc1e8bd0988dbd8dc1c6910e5d58be47c8375124d18f412701f2b
SSDEEP

3072:bc3sBG7mXh7m/zZM3jAbNOM6CNtDCZFc/:w3sBz0Z4Mj72F

Score

10^/10

modiloader discovery trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/46296-147861-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2076-0-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/198840-73934-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/199240-73974-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/198840-73972-0x0000000003310000-0x0000000003367000-memory.dmp	upx
behavioral1/files/0x000a000000016e1d-73971.dat	upx
behavioral1/memory/2076-73928-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/198840-73925-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/198840-73924-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/198840-73923-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/198840-73920-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/198840-73918-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/198840-94683-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/199240-107480-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/46296-147849-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/198840-147858-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/199240-147853-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/46296-147861-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/46240-147860-0x0000000000400000-0x000000000040B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

8f5936f3ebe5598bea2c561c4dc118eeb836ad393ec11e4ccfd9fde43a461cd8.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f5936f3ebe5598bea2c561c4dc118eeb836ad393ec11e4ccfd9fde43a461cd8.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

8f5936f3ebe5598bea2c561c4dc118eeb836ad393ec11e4ccfd9fde43a461cd8.exe

pid	Process
2076	8f5936f3ebe5598bea2c561c4dc118eeb836ad393ec11e4ccfd9fde43a461cd8.exe

C:\Users\Admin\AppData\Local\Temp\8f5936f3ebe5598bea2c561c4dc118eeb836ad393ec11e4ccfd9fde43a461cd8.exe
"C:\Users\Admin\AppData\Local\Temp\8f5936f3ebe5598bea2c561c4dc118eeb836ad393ec11e4ccfd9fde43a461cd8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2076
- C:\Users\Admin\AppData\Local\Temp\8f5936f3ebe5598bea2c561c4dc118eeb836ad393ec11e4ccfd9fde43a461cd8.exe
  "C:\Users\Admin\AppData\Local\Temp\8f5936f3ebe5598bea2c561c4dc118eeb836ad393ec11e4ccfd9fde43a461cd8.exe"
  2⤵
  PID:198840
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\JOKLW.bat" "
    3⤵
    PID:199156
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f
      4⤵
      PID:199216
- - C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
    3⤵
    PID:199240
  - - C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
      4⤵
      PID:46240
  - - C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
      4⤵
      PID:46296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JOKLW.bat

Filesize
145B

MD5
4eb61ec7816c34ec8c125acadc57ec1b

SHA1
b0015cc865c0bb1a027be663027d3829401a31cc

SHA256
08375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff

SHA512
f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

Filesize
338KB

MD5
84562b36fe9c97536711d055af7bb455

SHA1
10dc5cd850192bb206188e6fbddf17c02301d4dc

SHA256
72a7a76a9b674a1cba0c47e7fca77b2b191320069c658e6271eaf0194893cdfb

SHA512
8b8e33b694942158e8eaf8fd56443b55f63f50bca54d736dffe7b8c43bab5b86a12e2d522365d1ae4e410e2a5ce7d703c6c71c1c30761e4fb70eddc84c2aba60

Download Submit
memory/2076-26344-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26366-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26371-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26370-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26369-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26368-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-164-0x0000000000405000-0x0000000000406000-memory.dmp

Filesize
4KB

Download
memory/2076-26365-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26364-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26363-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26362-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26361-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26360-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26359-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26358-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26356-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26354-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26355-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26353-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26352-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26351-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26350-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26349-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26348-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26347-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26342-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26343-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-0-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2076-26345-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-73928-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2076-26346-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26341-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26357-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26367-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-26340-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2076-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/46240-147860-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/46296-147861-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/46296-147849-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/198840-103445-0x0000000003300000-0x0000000003357000-memory.dmp

Filesize
348KB

Download
memory/198840-73916-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/198840-73934-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/198840-73925-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/198840-73924-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/198840-73923-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/198840-73922-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/198840-73972-0x0000000003310000-0x0000000003367000-memory.dmp

Filesize
348KB

Download
memory/198840-94683-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/198840-73975-0x0000000003300000-0x0000000003357000-memory.dmp

Filesize
348KB

Download
memory/198840-73918-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/198840-103474-0x0000000003310000-0x0000000003367000-memory.dmp

Filesize
348KB

Download
memory/198840-73963-0x0000000003300000-0x0000000003357000-memory.dmp

Filesize
348KB

Download
memory/198840-73920-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/198840-112030-0x0000000003300000-0x0000000003357000-memory.dmp

Filesize
348KB

Download
memory/198840-73973-0x0000000003310000-0x0000000003367000-memory.dmp

Filesize
348KB

Download
memory/198840-147858-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/199240-107480-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/199240-147853-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/199240-73974-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download