modiloader | aae8699a908c3ca5211006647460cb8eb15c517a7cbf4a45bbf7909977317faf

Analysis

max time kernel
37s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2024, 03:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PO_2024_056209_MQ04865_ENQ_1045 (1).gz
Size

943KB
MD5

6271861abdb95e51f6849c843acdae62
SHA1

66cc315ad98bd5bae2ffb11729bbfdae8eefa85a
SHA256

aae8699a908c3ca5211006647460cb8eb15c517a7cbf4a45bbf7909977317faf
SHA512

90a117bbfc1251361d0e8900675c6846511598544dd1df0d3eb6b2ec982a5b83bea4b81eeee9991ca84cdc44785573bc9e79eff9ff417f747990e635a42f59fb
SSDEEP

24576:yKMYBN1/giWrlz3+rRu+P+FBVIceG7VX6BUxWDbuLmfq/wTL:1MI/giUlr+rRu+2FE5G7VKCxlLmS/wX

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 61 IoCs

resource	yara_rule
behavioral1/memory/3132-26006-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26013-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26014-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26019-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26030-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26046-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26071-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26070-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26069-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26068-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26067-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26066-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26064-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26063-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26062-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26061-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26060-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26059-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26058-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26057-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26056-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26055-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26050-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26048-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26045-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26043-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26040-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26038-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26037-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26036-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26035-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26054-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26033-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26052-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26051-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26049-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26031-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26047-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26029-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26028-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26044-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26042-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26041-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26025-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26039-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26024-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26017-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26023-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26022-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26034-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26021-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26032-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26018-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26027-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26026-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26016-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26015-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26020-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26010-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26011-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2
behavioral1/memory/3132-26012-0x0000000002B50000-0x0000000003B50000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
3132	x.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2460	7zFM.exe
2460	7zFM.exe
2460	7zFM.exe
2460	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2460	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2460	7zFM.exe
Token: 35	2460	7zFM.exe
Token: SeSecurityPrivilege	2460	7zFM.exe
Token: SeSecurityPrivilege	2460	7zFM.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2460	7zFM.exe
2460	7zFM.exe
2460	7zFM.exe
2460	7zFM.exe
2460	7zFM.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2692	2460	7zFM.exe	83
PID 2460 wrote to memory of 2692	2460	7zFM.exe	83
PID 2692 wrote to memory of 4540	2692	cmd.exe	93
PID 2692 wrote to memory of 4540	2692	cmd.exe	93
PID 2692 wrote to memory of 4588	2692	cmd.exe	94
PID 2692 wrote to memory of 4588	2692	cmd.exe	94
PID 2692 wrote to memory of 3132	2692	cmd.exe	95
PID 2692 wrote to memory of 3132	2692	cmd.exe	95
PID 2692 wrote to memory of 3132	2692	cmd.exe	95

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PO_2024_056209_MQ04865_ENQ_1045 (1).gz"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zOC9962987\PO_2024_056209_MQ04865_ENQ_1045.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\system32\findstr.exe
    findstr /e "'v" "C:\Users\Admin\AppData\Local\Temp\7zOC9962987\PO_2024_056209_MQ04865_ENQ_1045.cmd"
    3⤵
    PID:4540
- - C:\Windows\system32\cscript.exe
    cscript //nologo C:\Users\Admin\AppData\Local\Temp\x.vbs
    3⤵
    PID:4588
- - C:\Users\Admin\AppData\Local\Temp\x.exe
    C:\Users\Admin\AppData\Local\Temp\x.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3132
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
      4⤵
      PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zOC9962987\PO_2024_056209_MQ04865_ENQ_1045.cmd

Filesize
2.1MB

MD5
e74e6f735a0aabae7ea551ec00081be9

SHA1
e21c6050c4b5598be0db7fff9abefdfcb8a78f04

SHA256
e66a156bc6d1ef4b56a572c4133de2559388152dc36d1f35860e2defa566caaa

SHA512
e26c43246087b24b40642f7fb412210a0cce295ce3009136d08596bcc644f74f4734e7f1375f2117d89a8935636d002d7b6c3065cd9aa2380a50c96d54c093c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\x

Filesize
1.8MB

MD5
bf38536008977969fa57ff4fca96af75

SHA1
1ff7c41ce6d80f772f6fa32e667285587ee21cbd

SHA256
5171548d61d342b89a92969bb13e4431ea8acd46a7146f448ebdb49639f19e9f

SHA512
f14c7a41d2e1b40b735071648db81d8cac2e5180a2062351365109ce384bcb317d7bc7ecbfb416d7614c1cdcae8c29180f937585e87b6ef43bcca8bbbe4046f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\x

Filesize
8KB

MD5
9332a64adbfe1fa96e85f32d467a7663

SHA1
08b142374417eb8dbc33b8287161debc8042c18e

SHA256
db7984e4f4e7ecf2f4ff1c3648c51d6348bd47bfe5f9e4fd696a1aae146bd90b

SHA512
7e775dc57928893650ac272877cb5c9a7b1be6ce1eeec6ef047fe607155736ebba9971cc2dfbbc9de01a9a793aab31ac059581b9e5714380f24b7cec8f473321

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe

Filesize
1.3MB

MD5
d1f6b3bd433945255249291310f2e59e

SHA1
b5a2b9ec979e17c4d1074e7d1a23b550cce578d5

SHA256
7886e0dcb78a5d5e67f9d28272c24a29139accf9ff7616b659ffeb3eeaf1603a

SHA512
116e88e5e5b4db7086d5efe759a3b7883ded9cd691327e3f71aee61f0920805a21118d801231b7c091c4ee8e7beca6f5efadd577031336775bc93f2bcbec2b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.vbs

Filesize
380B

MD5
ec9a2fb69a379d913a4e0a953cd3b97c

SHA1
a0303ed9f787c042071a1286bba43a5bbdd0679e

SHA256
cf8268d158bb819ef158ff6ccbed64d5e379148a0adb1f73a082a01d56d0286b

SHA512
fef8e24a680991046bd7dacd6079c7e48c3031fe46caae722ea93797ee16c052073ba97959e992ea71ac7ab72fbcedaa5cf4a410657aac4c10ad24de6935e9d6

Download Submit
C:\Users\Public\Libraries\FX.cmd

Filesize
8KB

MD5
60cd0be570decd49e4798554639a05ae

SHA1
bd7bed69d9ab9a20b5263d74921c453f38477bcb

SHA256
ca6a6c849496453990beceef8c192d90908c0c615fa0a1d01bcd464bad6966a5

SHA512
ab3dbdb4ed95a0cb4072b23dd241149f48ecff8a69f16d81648e825d9d81a55954e5dd9bc46d3d7408421df30c901b9ad1385d1e70793fa8d715c86c9e800c57

Download Submit
memory/3132-26005-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26006-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26009-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/3132-26013-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26014-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26019-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26030-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26046-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26071-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26070-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26069-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26068-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26067-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26066-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26064-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26063-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26062-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26061-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26060-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26059-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26058-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26057-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26056-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26055-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26050-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26048-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26045-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26043-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26040-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26038-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26037-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26036-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26035-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26054-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26033-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26052-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26051-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26049-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26031-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26047-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26029-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26028-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26044-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26042-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26041-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26025-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26039-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26024-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26017-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26023-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26022-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26034-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26021-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26032-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26018-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26027-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26026-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26016-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26015-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26020-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26010-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26011-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download
memory/3132-26012-0x0000000002B50000-0x0000000003B50000-memory.dmp

Filesize
16.0MB

Download