modiloader | 7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058

Analysis

max time kernel
141s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27/11/2024, 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058.exe
Size

348KB
MD5

03527c142799c1d689556b147c3437b2
SHA1

5f324fd0cd5f95356e24da4ab4a90b71196113c5
SHA256

7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058
SHA512

3258cda3283f9a9b7186be67ae393bd26c12586f538f2b9b729247745fc969a49a4e02e84065d936fee190882d574b2a1f11bac0bbb80b98ab5c92c2d53b1a65
SSDEEP

6144:VFjL41SWW+Yta+ySQ+GyoCZUdzlEOVciyGCE+riGDAGxZKcJv6Msx/BGbFt:VFjs1SWpY/ySBVoCmdzlEqciy+yiGhZ5

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\server.exe\""	server.exe

Modiloader family
modiloader

ModiLoader Second Stage 11 IoCs

resource	yara_rule
behavioral1/memory/3044-46-0x0000000000400000-0x000000000042C000-memory.dmp	modiloader_stage2
behavioral1/memory/3044-47-0x0000000000400000-0x000000000042C000-memory.dmp	modiloader_stage2
behavioral1/memory/3044-45-0x0000000000400000-0x000000000042C000-memory.dmp	modiloader_stage2
behavioral1/memory/3044-42-0x0000000000400000-0x000000000042C000-memory.dmp	modiloader_stage2
behavioral1/memory/3044-38-0x0000000000400000-0x000000000042C000-memory.dmp	modiloader_stage2
behavioral1/memory/3044-36-0x0000000000400000-0x000000000042C000-memory.dmp	modiloader_stage2
behavioral1/memory/3044-34-0x0000000000400000-0x000000000042C000-memory.dmp	modiloader_stage2
behavioral1/memory/3044-32-0x0000000000400000-0x000000000042C000-memory.dmp	modiloader_stage2
behavioral1/memory/3044-56-0x0000000000400000-0x000000000042C000-memory.dmp	modiloader_stage2
behavioral1/memory/628-85-0x0000000000400000-0x000000000042C000-memory.dmp	modiloader_stage2
behavioral1/memory/628-93-0x0000000000400000-0x000000000042C000-memory.dmp	modiloader_stage2

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05I41M56-QW07-U20F-YX8T-VB4U6TP4UX63}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05I41M56-QW07-U20F-YX8T-VB4U6TP4UX63}\StubPath = "\"C:\\Windows\\server.exe\""	server.exe

Deletes itself 1 IoCs

pid	Process
3068	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
2192	fff2.exe
3036	J3qbFH8P8.exe
3044	J3qbFH8P8.exe
2064	server.exe
628	server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\server = "C:\\Windows\\server.exe"	server.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3036 set thread context of 3044	3036	J3qbFH8P8.exe	34
PID 2064 set thread context of 628	2064	server.exe	36

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\server.exe	J3qbFH8P8.exe
File opened for modification	C:\Windows\server.exe	J3qbFH8P8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	J3qbFH8P8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fff2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	J3qbFH8P8.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3044	J3qbFH8P8.exe
628	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2192	fff2.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3012	7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058.exe
3036	J3qbFH8P8.exe
2064	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2192	3012	7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058.exe	30
PID 3012 wrote to memory of 2192	3012	7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058.exe	30
PID 3012 wrote to memory of 2192	3012	7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058.exe	30
PID 3012 wrote to memory of 2192	3012	7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058.exe	30
PID 3012 wrote to memory of 3036	3012	7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058.exe	31
PID 3012 wrote to memory of 3036	3012	7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058.exe	31
PID 3012 wrote to memory of 3036	3012	7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058.exe	31
PID 3012 wrote to memory of 3036	3012	7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058.exe	31
PID 3012 wrote to memory of 3068	3012	7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058.exe	32
PID 3012 wrote to memory of 3068	3012	7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058.exe	32
PID 3012 wrote to memory of 3068	3012	7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058.exe	32
PID 3012 wrote to memory of 3068	3012	7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058.exe	32
PID 3036 wrote to memory of 3044	3036	J3qbFH8P8.exe	34
PID 3036 wrote to memory of 3044	3036	J3qbFH8P8.exe	34
PID 3036 wrote to memory of 3044	3036	J3qbFH8P8.exe	34
PID 3036 wrote to memory of 3044	3036	J3qbFH8P8.exe	34
PID 3036 wrote to memory of 3044	3036	J3qbFH8P8.exe	34
PID 3036 wrote to memory of 3044	3036	J3qbFH8P8.exe	34
PID 3036 wrote to memory of 3044	3036	J3qbFH8P8.exe	34
PID 3036 wrote to memory of 3044	3036	J3qbFH8P8.exe	34
PID 3036 wrote to memory of 3044	3036	J3qbFH8P8.exe	34
PID 3036 wrote to memory of 3044	3036	J3qbFH8P8.exe	34
PID 3036 wrote to memory of 3044	3036	J3qbFH8P8.exe	34
PID 3044 wrote to memory of 2064	3044	J3qbFH8P8.exe	35
PID 3044 wrote to memory of 2064	3044	J3qbFH8P8.exe	35
PID 3044 wrote to memory of 2064	3044	J3qbFH8P8.exe	35
PID 3044 wrote to memory of 2064	3044	J3qbFH8P8.exe	35
PID 2064 wrote to memory of 628	2064	server.exe	36
PID 2064 wrote to memory of 628	2064	server.exe	36
PID 2064 wrote to memory of 628	2064	server.exe	36
PID 2064 wrote to memory of 628	2064	server.exe	36
PID 2064 wrote to memory of 628	2064	server.exe	36
PID 2064 wrote to memory of 628	2064	server.exe	36
PID 2064 wrote to memory of 628	2064	server.exe	36
PID 2064 wrote to memory of 628	2064	server.exe	36
PID 2064 wrote to memory of 628	2064	server.exe	36
PID 2064 wrote to memory of 628	2064	server.exe	36
PID 2064 wrote to memory of 628	2064	server.exe	36
PID 2064 wrote to memory of 1472	2064	server.exe	37
PID 2064 wrote to memory of 1472	2064	server.exe	37
PID 2064 wrote to memory of 1472	2064	server.exe	37
PID 2064 wrote to memory of 1472	2064	server.exe	37
PID 628 wrote to memory of 892	628	server.exe	39
PID 628 wrote to memory of 892	628	server.exe	39
PID 628 wrote to memory of 892	628	server.exe	39
PID 628 wrote to memory of 892	628	server.exe	39
PID 628 wrote to memory of 892	628	server.exe	39
PID 628 wrote to memory of 892	628	server.exe	39
PID 628 wrote to memory of 892	628	server.exe	39
PID 628 wrote to memory of 892	628	server.exe	39
PID 628 wrote to memory of 892	628	server.exe	39
PID 628 wrote to memory of 892	628	server.exe	39
PID 628 wrote to memory of 892	628	server.exe	39
PID 628 wrote to memory of 892	628	server.exe	39
PID 628 wrote to memory of 892	628	server.exe	39
PID 628 wrote to memory of 892	628	server.exe	39
PID 628 wrote to memory of 892	628	server.exe	39
PID 628 wrote to memory of 892	628	server.exe	39
PID 628 wrote to memory of 892	628	server.exe	39
PID 628 wrote to memory of 892	628	server.exe	39
PID 628 wrote to memory of 892	628	server.exe	39
PID 628 wrote to memory of 892	628	server.exe	39
PID 628 wrote to memory of 892	628	server.exe	39
PID 628 wrote to memory of 892	628	server.exe	39

C:\Users\Admin\AppData\Local\Temp\7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058.exe
"C:\Users\Admin\AppData\Local\Temp\7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012
- C:\fff2.exe
  "C:\fff2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2192
- C:\J3qbFH8P8.exe
  "C:\J3qbFH8P8.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\J3qbFH8P8.exe
    "C:\J3qbFH8P8.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\server.exe
      "C:\Windows\server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2064
    - - C:\Windows\server.exe
        
        "C:\Windows\server.exe"
        5⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:628
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:892
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c \melt.bat
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c \melt.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\J3qbFH8P8.exe

Filesize
220KB

MD5
144dec755361311d15dce9b03d368d01

SHA1
4d331cb6d916d997ee0d14faa1ae8dded71b02c8

SHA256
98e284e33c2b8aaa654fe78b5586dbfd10c45b694415c9fe7718feeab4f4ca25

SHA512
d2fa423ca1dd8c6dac906ba640812686d6260120870b5878dcce00ef0d67229872eb6104d1e8caf043d9d8a38d28699c2b491d271f1d16839d631f9102130993

Download Submit
C:\fff2.exe

Filesize
54KB

MD5
116d27fdf50ebecaada14096812dbf90

SHA1
5af91f4129b2e38f8decd50c8b0cc5d09c042bf1

SHA256
3ed5f41bad3acaf3eb8507d61b70c75c84e18febe06ebd482f3c366edcec394c

SHA512
e98eb844f4ddf74cccab1a14ea1a03accc3c2e0daa02aeb32d4718dbbb547ba80dbcd0d8469aed4d0f4fbb6949ddfe5e70fff099651d69d9fe8d2047b54b7c2a

Download Submit
C:\melt.bat

Filesize
285B

MD5
e63b0429ec82e1d058e932faf1cac2c6

SHA1
299ea3d6a563ec1587f543c207e2589ccc2b73d0

SHA256
cdfde3a16ee2c04597ef67bc2fe72724aa6e0f5b2e63c815165d487624bfad54

SHA512
6e46493fd36a641e88140e1644ba9e2653dfab20c162aaaacc18422dd321c24b3e01dbdc4b3a447cdcf6b5b337af4d43212aa655732bfbe8f8a019ac682dad54

Download Submit
C:\melt.bat

Filesize
123B

MD5
58a67e1781a193dcf2f9f0685426380d

SHA1
8ce90e1df11d529112abb400b930dcfc73d78fce

SHA256
229cfb10926e706af01042a8348a9a910cfad0cb0aa9bc20c65e8dec0f006136

SHA512
598349435ac6abe93fab69891f33a7cb2c1d47184398c867eed8b057ee9b045e20865e79a839762f465a27c05efdd21d30caa1dc262c03321804513eef66e05a

Download Submit
memory/628-87-0x0000000010410000-0x0000000010455000-memory.dmp

Filesize
276KB

Download
memory/628-93-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/628-85-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/628-86-0x0000000010410000-0x0000000010455000-memory.dmp

Filesize
276KB

Download
memory/2192-96-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3012-10-0x0000000002A00000-0x0000000002A39000-memory.dmp

Filesize
228KB

Download
memory/3012-5-0x0000000002A00000-0x0000000002A39000-memory.dmp

Filesize
228KB

Download
memory/3044-38-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3044-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3044-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3044-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3044-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3044-56-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3044-36-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3044-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3044-42-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3044-45-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3044-47-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3044-46-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download