modiloader | 42ee8848169ff3d0e0aac28d49b08999e7d98bc1859fa50fcd749dd5b397a030

Analysis

max time kernel
94s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42ee8848169ff3d0e0aac28d49b08999e7d98bc1859fa50fcd749dd5b397a030.exe
Size

692KB
MD5

1a568c9984881b51ec7b0e7811356f23
SHA1

074214c6d98ed316f2e714fa9d2476174676dc19
SHA256

42ee8848169ff3d0e0aac28d49b08999e7d98bc1859fa50fcd749dd5b397a030
SHA512

6258df9f4b1bbe32b4e1ba55d68b58c00521c5e88ea7995a4c35a033356ef9c4643be2ae29d9bbe65832709e1cceb7610fe05ba4019bc8bd4006bbdeadadeadc
SSDEEP

12288:KRRtGgozqi5paO0lp9USQVUSyrkA4pZ6J+v5NdTgxWaSTA1:If2eas1USImapIwPuIaSTm

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral2/memory/4676-0-0x0000000000400000-0x00000000004B8000-memory.dmp	modiloader_stage2
behavioral2/files/0x000c000000023b22-5.dat	modiloader_stage2
behavioral2/memory/2608-6-0x0000000000400000-0x00000000004B8000-memory.dmp	modiloader_stage2
behavioral2/memory/4676-9-0x0000000000400000-0x00000000004B8000-memory.dmp	modiloader_stage2
behavioral2/memory/2608-11-0x0000000000400000-0x00000000004B8000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
2608	svchsot.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DaverDel.bat	42ee8848169ff3d0e0aac28d49b08999e7d98bc1859fa50fcd749dd5b397a030.exe
File created	C:\Windows\SysWOW64\svchsot.exe	42ee8848169ff3d0e0aac28d49b08999e7d98bc1859fa50fcd749dd5b397a030.exe
File opened for modification	C:\Windows\SysWOW64\svchsot.exe	42ee8848169ff3d0e0aac28d49b08999e7d98bc1859fa50fcd749dd5b397a030.exe
File opened for modification	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	42ee8848169ff3d0e0aac28d49b08999e7d98bc1859fa50fcd749dd5b397a030.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchsot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 2608	4676	42ee8848169ff3d0e0aac28d49b08999e7d98bc1859fa50fcd749dd5b397a030.exe	83
PID 4676 wrote to memory of 2608	4676	42ee8848169ff3d0e0aac28d49b08999e7d98bc1859fa50fcd749dd5b397a030.exe	83
PID 4676 wrote to memory of 2608	4676	42ee8848169ff3d0e0aac28d49b08999e7d98bc1859fa50fcd749dd5b397a030.exe	83
PID 4676 wrote to memory of 4784	4676	42ee8848169ff3d0e0aac28d49b08999e7d98bc1859fa50fcd749dd5b397a030.exe	84
PID 4676 wrote to memory of 4784	4676	42ee8848169ff3d0e0aac28d49b08999e7d98bc1859fa50fcd749dd5b397a030.exe	84
PID 4676 wrote to memory of 4784	4676	42ee8848169ff3d0e0aac28d49b08999e7d98bc1859fa50fcd749dd5b397a030.exe	84

C:\Users\Admin\AppData\Local\Temp\42ee8848169ff3d0e0aac28d49b08999e7d98bc1859fa50fcd749dd5b397a030.exe
"C:\Users\Admin\AppData\Local\Temp\42ee8848169ff3d0e0aac28d49b08999e7d98bc1859fa50fcd749dd5b397a030.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\SysWOW64\svchsot.exe
  C:\Windows\system32\svchsot.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\DaverDel.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DaverDel.bat

Filesize
248B

MD5
0fa2a9f21967a86073d270bba1579ef6

SHA1
d8b7e30a35a0775098adfa204b916212f3e1d88e

SHA256
7f63e719bb4aa9130c5dee8f9dd4de34688daa70821a72f80d8e9c5f8db6e6fb

SHA512
36c90e88ac77ecfc222e388e8d002674cd4a25232ff96e149f8d1dc1f113c4299d428738952aad27eba46e472af2641560d9e7b97c32b68fcaefeaf321905198

Download Submit
C:\Windows\SysWOW64\svchsot.exe

Filesize
692KB

MD5
1a568c9984881b51ec7b0e7811356f23

SHA1
074214c6d98ed316f2e714fa9d2476174676dc19

SHA256
42ee8848169ff3d0e0aac28d49b08999e7d98bc1859fa50fcd749dd5b397a030

SHA512
6258df9f4b1bbe32b4e1ba55d68b58c00521c5e88ea7995a4c35a033356ef9c4643be2ae29d9bbe65832709e1cceb7610fe05ba4019bc8bd4006bbdeadadeadc

Download Submit
memory/2608-6-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2608-11-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4676-0-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4676-9-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download