modiloader | e8efbb14a3fdb433e11f64993092a18c0c6605ef10f655cdf7dabf2d4a951e5e

Analysis

max time kernel
115s
max time network
112s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-es
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-eslocale:es-esos:windows10-ltsc 2021-x64systemwindows
submitted
13-12-2024 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MassSender.exe
Size

2.2MB
MD5

88f65230b988517b529f15ee1f173b3c
SHA1

5dd29ced644415f87d106b340eba656eb9eae311
SHA256

e8efbb14a3fdb433e11f64993092a18c0c6605ef10f655cdf7dabf2d4a951e5e
SHA512

46ac27d80b61939f0fef7d5493866274f95494bcfb855751d8b82d6677ef2aef1d6fc9f26b1dbeb217277abe4408ccbc3c75dfc37bc552f31085dc31e99e0c91
SSDEEP

49152:4n7JG9CyViR+Y9ZYVCiIrNDctSXXEeXzAAAL:yV+C0nYoItyg9AL

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader First Stage 13 IoCs

resource	yara_rule
behavioral1/memory/1528-4-0x0000000000400000-0x000000000098F000-memory.dmp	modiloader_stage1
behavioral1/memory/1528-6-0x0000000000400000-0x000000000098F000-memory.dmp	modiloader_stage1
behavioral1/memory/1528-8-0x0000000000400000-0x000000000098F000-memory.dmp	modiloader_stage1
behavioral1/memory/1528-10-0x0000000000400000-0x000000000098F000-memory.dmp	modiloader_stage1
behavioral1/memory/1528-11-0x0000000000400000-0x000000000098F000-memory.dmp	modiloader_stage1
behavioral1/memory/1528-12-0x0000000000400000-0x000000000098F000-memory.dmp	modiloader_stage1
behavioral1/memory/1528-13-0x0000000000400000-0x000000000098F000-memory.dmp	modiloader_stage1
behavioral1/memory/1528-14-0x0000000000400000-0x000000000098F000-memory.dmp	modiloader_stage1
behavioral1/memory/1528-15-0x0000000000400000-0x000000000098F000-memory.dmp	modiloader_stage1
behavioral1/memory/1528-16-0x0000000000400000-0x000000000098F000-memory.dmp	modiloader_stage1
behavioral1/memory/1528-17-0x0000000000400000-0x000000000098F000-memory.dmp	modiloader_stage1
behavioral1/memory/1528-18-0x0000000000400000-0x000000000098F000-memory.dmp	modiloader_stage1
behavioral1/memory/1528-57-0x0000000000400000-0x000000000098F000-memory.dmp	modiloader_stage1

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MassSender.exe

Modifies registry class 38 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	MassSender.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	MassSender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{237561AB-1162-5837-1307-251216710420}\Info	MassSender.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	MassSender.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	MassSender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	MassSender.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{237561AB-1162-5837-1307-251216710420}\Info	MassSender.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	MassSender.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	MassSender.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	MassSender.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	MassSender.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	MassSender.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	MassSender.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	MassSender.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	MassSender.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	MassSender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	MassSender.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	MassSender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	MassSender.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	MassSender.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	MassSender.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	MassSender.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	MassSender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{237561AB-1162-5837-1307-251216710420}	MassSender.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	MassSender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{237561AB-1162-5837-1307-251216710420}\Info\Data = 004b59770000000000000000090000006af96677d832a300090000005c31da77e076db77b029a3007c4b5977feffff0008fa190019016777340000c0ccfa190000000000440367776cfa190064fa190070fa190002000000b002000000000000020000000000000000000000b00200000c00000000000000b2ba5bf2e50b00004c04b1f10aca3ebcbcf91900dc5c0200b2aa5404d0f9190001000000bcf919003c0000009b4ddb012af02c1f00000000b2aa5404d0f919000b000000a701000004fa190046d1d87760fa0000b0fa1900f8ef7c02e8070c000d0014000a0039004a0205002af02c1f9b4ddb016af9667700000000000000000000000000000000000000000000000044fa1900d7b5637720fa19002cfa190060fa190034567b0225b663772af02c1f9b4ddb012000fe7fe8070c000d0014000a0039004a02050004aa07b7000000009cfa190071b5637760fa19000c0000000d001eb7962b69000a000000b2aa5404e80700019cfa19009e2a690094fa19004a020000d4fa1900cc2a6900d42a690034567b02f8ef7c02f8ef7c0204322e303056d6fb03e9ea3f0f0000008c2f69004a021900d6fb03e9d6fb03e9da4ae64005000d0014000a00	MassSender.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e80922b16d365937a46956b92703aca08af0000	MassSender.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	MassSender.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	MassSender.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	MassSender.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	MassSender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{237561AB-1162-5837-1307-251216710420}\Info\Data = 00000000008ca300e8000000908ca300ba000000908ca300140001013a0000003a00000048fe190090b3da7748fe190090b3da771ae68f67feffffffa4fc19006d80db77000000009480db77e0f3a5000000a30000000000743100002400000001000000000000000000000048e57c0270f97c0248e57c0278dd7c02c0aa7c0278dd7c0200000000fc986800003dd7770000a300663dd777c4fc1900663dd777000000000b000000e04e7b0278dd7c02e04e7b0200000000fc986800084d61696e4d656e75fffffff0fc0000f4fc1900004000001c86a500fcfc1900f5ae6477ffffffff00408702004000002cfd190074b37c0000c0000034fd1900ffffffff0000000000008802000087024cfd19000080870200408702ea83690008570000c0aa7c021495680008ec7c02d4ef7c02c0ef7c021400000008ec7c02d4ef7c02c0ef7c021400000074fd1900f8d17c02e0d17c0228000000141e7b02f8d17c02e0d17c022800000094fd1900098e690044b37c00118e6900c8dd7c0274dd7c02bc00000000000000c8dd7c0274dd7c02bc00000004322e30308e690044b37c000f00000078dd7c02000000001d000000d6fb03e9da4ae640f8ef7c021d000000	MassSender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	MassSender.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	MassSender.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	MassSender.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy	MassSender.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	MassSender.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	MassSender.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1528	MassSender.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1528	MassSender.exe
1528	MassSender.exe
1528	MassSender.exe
1528	MassSender.exe

C:\Users\Admin\AppData\Local\Temp\MassSender.exe
"C:\Users\Admin\AppData\Local\Temp\MassSender.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AMS.ini

Filesize
198B

MD5
216e464fc9f5c8baa1feb218e63b1bf7

SHA1
d350f48028073c1fb72db7a7bfb01eda8dc1fc56

SHA256
97e7c1a2097cfdb7589e84851fd37ccdb5ffe32d6f01d7ec7c420e5f6325919b

SHA512
37f60c526d1c4bc9ef2e2d359fb5d3a5761913b95744e47be0a2437758277c08d7247bc909be4b9db753e0e72266859ae6323a26585cd1f28074d3ddf4f436a5

Download Submit
memory/1528-10-0x0000000000400000-0x000000000098F000-memory.dmp

Filesize
5.6MB

Download
memory/1528-18-0x0000000000400000-0x000000000098F000-memory.dmp

Filesize
5.6MB

Download
memory/1528-3-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/1528-5-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/1528-4-0x0000000000400000-0x000000000098F000-memory.dmp

Filesize
5.6MB

Download
memory/1528-6-0x0000000000400000-0x000000000098F000-memory.dmp

Filesize
5.6MB

Download
memory/1528-7-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/1528-11-0x0000000000400000-0x000000000098F000-memory.dmp

Filesize
5.6MB

Download
memory/1528-57-0x0000000000400000-0x000000000098F000-memory.dmp

Filesize
5.6MB

Download
memory/1528-2-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/1528-8-0x0000000000400000-0x000000000098F000-memory.dmp

Filesize
5.6MB

Download
memory/1528-12-0x0000000000400000-0x000000000098F000-memory.dmp

Filesize
5.6MB

Download
memory/1528-13-0x0000000000400000-0x000000000098F000-memory.dmp

Filesize
5.6MB

Download
memory/1528-14-0x0000000000400000-0x000000000098F000-memory.dmp

Filesize
5.6MB

Download
memory/1528-15-0x0000000000400000-0x000000000098F000-memory.dmp

Filesize
5.6MB

Download
memory/1528-16-0x0000000000400000-0x000000000098F000-memory.dmp

Filesize
5.6MB

Download
memory/1528-17-0x0000000000400000-0x000000000098F000-memory.dmp

Filesize
5.6MB

Download
memory/1528-0-0x0000000000400000-0x000000000098F000-memory.dmp

Filesize
5.6MB

Download
memory/1528-1-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/1528-9-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download