modiloader | 9f8ac42c6b88e50d04f8c0f2c45afd9387997345f4617280d057df7f03363bca

Analysis

max time kernel
93s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2024, 05:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

top flash to video.exe
Size

1.6MB
MD5

2aa4d2caa73ed5160cc34fba921236c1
SHA1

022d065ddb70ffa3bba898e183179772d7c484fd
SHA256

5e5ae825b31fa0863f8a3055379306e20ac9f3c554f121f4f0c29430f79e51cf
SHA512

3a3b0104b0005d1a158727ca51a797255616af0365090921db58cc70ec3a4a2cadb9a7630384af4cb7a5b134a9de5217bb7499cb02d13c9c92f6124a127fd7fd
SSDEEP

24576:G1tYL4dVpWK5GYFHGgGfqa2B7yzzLP0DTXYWCs/tSVmzvIPUrsj2WnkIdINwByd6:G1t5GYEaaD/YTKsVSVHPfnkII96

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral24/memory/1528-19-0x0000000000400000-0x0000000000CD8000-memory.dmp	modiloader_stage2
behavioral24/memory/1528-24-0x0000000000400000-0x0000000000CD8000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
4436	CF06674C-EDA6-48df-B12C-F810984ACF54.exe

Loads dropped DLL 4 IoCs

pid	Process
1528	top flash to video.exe
1528	top flash to video.exe
1528	top flash to video.exe
1528	top flash to video.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1492	1528	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	top flash to video.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CF06674C-EDA6-48df-B12C-F810984ACF54.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1528	top flash to video.exe
1528	top flash to video.exe
1528	top flash to video.exe
1528	top flash to video.exe
1528	top flash to video.exe
1528	top flash to video.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1528	top flash to video.exe
1528	top flash to video.exe
1528	top flash to video.exe
1528	top flash to video.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 4436	1528	top flash to video.exe	87
PID 1528 wrote to memory of 4436	1528	top flash to video.exe	87
PID 1528 wrote to memory of 4436	1528	top flash to video.exe	87

C:\Users\Admin\AppData\Local\Temp\top flash to video.exe
"C:\Users\Admin\AppData\Local\Temp\top flash to video.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 820
  2⤵
  - Program crash
  PID:1492
- C:\Users\Admin\AppData\Local\Temp\CF06674C-EDA6-48df-B12C-F810984ACF54.exe
  "C:\Users\Admin\AppData\Local\Temp\CF06674C-EDA6-48df-B12C-F810984ACF54.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1528 -ip 1528
1⤵
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CF06674C-EDA6-48df-B12C-F810984ACF54.exe

Filesize
3KB

MD5
c5be6b4274a62a7be11d1c018235a79b

SHA1
a6e81b63a198fee34498cd95c78dec73b6957bcc

SHA256
551a361bbfb5e01e7de1656059736c0bc0d119d85d020f1b6c61867abc0ca778

SHA512
c06d6820c5998f13be5eabb8dd32c5cf2da27168d6ade1defa934ff464e05be276728a02f30d7d803dc6d64ce5eb22a80d2769b0fd6e6517c8351e631daadfde

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBX@5F8@2AA4848.###

Filesize
1KB

MD5
f09be87202d5817120c8fbe46ccbea5e

SHA1
d6417a20302afecaff6b5076ddef06100dc4f371

SHA256
4fddf2db6fed4ba8712cb85b684f438648f08d21859748eed2160f8ce2eb4ee3

SHA512
aac55dd50852fe41b2b3be2c826c155643521c5be4606324e70840a4d5df983d3ec616a3e68d542a2fb9edecbe3d4659d0b7de0df30e5125d919bf3b4c9b9dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBX@5F8@2AA4858.###

Filesize
1KB

MD5
ce49ea586115b986531f671cbb38d6ff

SHA1
0a0ab2fc21992937f89dd3639f2624c52d88f5dd

SHA256
c146e621a9efb7d5ffbe24a36ca11a0a07edcd6341a77abb49dd1f04f88ab8a2

SHA512
f4c32e1a584c0ff1fd414a58e40f5af77d2b9052e823ecc1ee0c37311c48de4a5a35f6b33d2d7580c79c2260b73fd652524b6174845f615cb426a5d7d173bd76

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBX@5F8@2AA4868.###

Filesize
1KB

MD5
19dc727886e5cf77151fecc6602b18e3

SHA1
db0552406905cc6fb28ad17566313ea7059c70ce

SHA256
3fd58ce91525999f79267507b364338ee0d193f7ad42508b7c253b7678f32046

SHA512
6e35f482f142ba2fc86297694573f8bef3adb3c8db0e69371cc76ecce24338a872a5271af0ca1efe00ee40ca1a5788b6d23b9be0cb72413c9bef705794685b65

Download Submit
memory/1528-6-0x0000000010005000-0x0000000010006000-memory.dmp

Filesize
4KB

Download
memory/1528-11-0x000000006CF80000-0x000000006D2EA000-memory.dmp

Filesize
3.4MB

Download
memory/1528-0-0x0000000000400000-0x0000000000CD8000-memory.dmp

Filesize
8.8MB

Download
memory/1528-18-0x0000000002BA0000-0x0000000002C96000-memory.dmp

Filesize
984KB

Download
memory/1528-19-0x0000000000400000-0x0000000000CD8000-memory.dmp

Filesize
8.8MB

Download
memory/1528-5-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/1528-24-0x0000000000400000-0x0000000000CD8000-memory.dmp

Filesize
8.8MB

Download
memory/1528-28-0x000000006CF80000-0x000000006D2EA000-memory.dmp

Filesize
3.4MB

Download
memory/1528-27-0x0000000002BA0000-0x0000000002C96000-memory.dmp

Filesize
984KB

Download
memory/1528-26-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download