modiloader | 2030662c65482c1023283552d0dd9ec008accd7fdb07e27ce892fe295e5b1f49

Analysis

max time kernel
118s
max time network
136s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_003e5284adbe3af8a1775ebc2ec53762.exe
Size

699KB
MD5

003e5284adbe3af8a1775ebc2ec53762
SHA1

ba227c3ac21edc7909b18f497cc62f0ca7035673
SHA256

2030662c65482c1023283552d0dd9ec008accd7fdb07e27ce892fe295e5b1f49
SHA512

9f4d84278f8d9d597aadf4b0fd48ff19a42e63bb0c9dc2c5232362f3ce61bbd68f457fe365ad0951a3901dcd8d9f81eda2612db20f4bef852e78d012a93e8e3c
SSDEEP

12288:Uc///////d+uj8hN2yidQTpoR/eXPG77ZKL8dGyu5rjA143TSimZJ/rQEVHaaBnd:Uc///////d+Hr2BdopoRW+/wKGyuhj0f

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 7 IoCs

resource	yara_rule
behavioral1/memory/2840-4-0x0000000000400000-0x00000000004BB000-memory.dmp	modiloader_stage2
behavioral1/memory/2840-7-0x0000000000400000-0x00000000004BB000-memory.dmp	modiloader_stage2
behavioral1/memory/2840-8-0x0000000000400000-0x00000000004BB000-memory.dmp	modiloader_stage2
behavioral1/memory/2840-9-0x0000000000400000-0x00000000004BB000-memory.dmp	modiloader_stage2
behavioral1/memory/2840-11-0x0000000000400000-0x00000000004BB000-memory.dmp	modiloader_stage2
behavioral1/memory/2840-13-0x0000000000400000-0x00000000004BB000-memory.dmp	modiloader_stage2
behavioral1/memory/2840-16-0x0000000000400000-0x00000000004BB000-memory.dmp	modiloader_stage2

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2776 set thread context of 2840	2776	VirusShare_003e5284adbe3af8a1775ebc2ec53762.exe	30
PID 2840 set thread context of 2736	2840	VirusShare_003e5284adbe3af8a1775ebc2ec53762.exe	31

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt	VirusShare_003e5284adbe3af8a1775ebc2ec53762.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VirusShare_003e5284adbe3af8a1775ebc2ec53762.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VirusShare_003e5284adbe3af8a1775ebc2ec53762.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{521D1BB1-D05D-11EF-A88A-DE8CFA0D7791} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442790339"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2736	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2736	IEXPLORE.EXE
2736	IEXPLORE.EXE
2904	IEXPLORE.EXE
2904	IEXPLORE.EXE
2904	IEXPLORE.EXE
2904	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2840	2776	VirusShare_003e5284adbe3af8a1775ebc2ec53762.exe	30
PID 2776 wrote to memory of 2840	2776	VirusShare_003e5284adbe3af8a1775ebc2ec53762.exe	30
PID 2776 wrote to memory of 2840	2776	VirusShare_003e5284adbe3af8a1775ebc2ec53762.exe	30
PID 2776 wrote to memory of 2840	2776	VirusShare_003e5284adbe3af8a1775ebc2ec53762.exe	30
PID 2776 wrote to memory of 2840	2776	VirusShare_003e5284adbe3af8a1775ebc2ec53762.exe	30
PID 2776 wrote to memory of 2840	2776	VirusShare_003e5284adbe3af8a1775ebc2ec53762.exe	30
PID 2840 wrote to memory of 2736	2840	VirusShare_003e5284adbe3af8a1775ebc2ec53762.exe	31
PID 2840 wrote to memory of 2736	2840	VirusShare_003e5284adbe3af8a1775ebc2ec53762.exe	31
PID 2840 wrote to memory of 2736	2840	VirusShare_003e5284adbe3af8a1775ebc2ec53762.exe	31
PID 2840 wrote to memory of 2736	2840	VirusShare_003e5284adbe3af8a1775ebc2ec53762.exe	31
PID 2840 wrote to memory of 2736	2840	VirusShare_003e5284adbe3af8a1775ebc2ec53762.exe	31
PID 2736 wrote to memory of 2904	2736	IEXPLORE.EXE	32
PID 2736 wrote to memory of 2904	2736	IEXPLORE.EXE	32
PID 2736 wrote to memory of 2904	2736	IEXPLORE.EXE	32
PID 2736 wrote to memory of 2904	2736	IEXPLORE.EXE	32

C:\Users\Admin\AppData\Local\Temp\VirusShare_003e5284adbe3af8a1775ebc2ec53762.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_003e5284adbe3af8a1775ebc2ec53762.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Local\Temp\VirusShare_003e5284adbe3af8a1775ebc2ec53762.exe
  C:\Users\Admin\AppData\Local\Temp\VirusShare_003e5284adbe3af8a1775ebc2ec53762.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2736 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70ed3248a5ab56e239258af5a8c03a9b

SHA1
5400130df2e1f50c16abaf9ab592999971aab7b4

SHA256
654cebc0e305410be1793efd5802ef54fef95834ba098353a5a353af9e5a7c7a

SHA512
1d077a1f0154e5c17b175c820a11b3fcffd56f4afca417794d8be2ffaa5546efbec9d47cd3e45f4a3b99544b84ef28478cf24559997fa3a6670c720f7b64d1dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4745210fa26ac4c37003c54d781622d8

SHA1
67d85c12bc8516a7e015508a2f0d8e35819396f8

SHA256
352286580aacafb1d7bbd03bbb8a5fd76c6c704f83dbc70d31fd4c86a9b92538

SHA512
469d78115edc20e65305f523450704d80f8998be1e804b344a61edc4355f9b9db578cb969b763ea8e3e56db99f83e063cf0223e7474990e76d535f3dda71389b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80cffd87e84329bda05c40761a0d8248

SHA1
72426ac3fd42907f43b0ab47bbaec5a625294b23

SHA256
689af91db477ca0791e1437217a074eb706d0506f2b8fea3c197c0c803cad61b

SHA512
e3157b64d99f043021be1560b07077c0bf690c2fe294ae329afac94dd8faf8e700a9b118e24e8e34935003d3ad12509d655f76873d9bd82fb6513c94515dd729

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
853409e8607f1bbabe39631c151095e9

SHA1
654ef9c1db4fa4f4b5adfba80c7d800110ea0e17

SHA256
14d6ef56fa944bc81b553987ce58c0b00c8b552489de435bb3990ccf1dc2495b

SHA512
a361ee07fe3943b8225978016e45ab9e756d28ed23e50b9574e1874085198d15ec1e4b0adc39c3651be811b00ffda5afbca616cbec96d2989a5feb66afbf8e48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7e9304c723f9a3ecfe2ed193b40ccf7

SHA1
6bb25fbd019d2fae6650ccdc8a00ae33147cb62a

SHA256
772158df245e6b9430f94ec8207727637b4af18893f88e6e110e30f45af84121

SHA512
6b42121b1f0968e7541efaf773fda6f00c5963cc6ffa3a1df2a1e91e9a6c6a1a096df5db0de183a9d3057e9e8554429cc2cf30b3263a3334943dd5497f27f710

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a183907d59e3fe81969ec5d8abc87115

SHA1
e2d4b40ad2cc983f8cff3801a2a4b81af7e1b818

SHA256
5a96973c6cc9379bba9b067477c1fe41ff605bd70e849ed05a848d80f882018e

SHA512
a0f3142a3234efed21b90e84e34f0b84ab132f2661e056fec37d964a9baa3eb2df4640d78b3a360bcf83d900cd84f1441412a4bc41bcb532f27cd8aa6bdca240

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e158af022008d52be6e8d2a930c3bcd6

SHA1
8347a6072e27149a8e7d7619fea43576334a498f

SHA256
d6ce137d4880cea7cd5539af9858422c643c41debadfb7b325e2188b325d151e

SHA512
d9dbff2cde4b4a37964dd9b39a0299a1c152267a8bcb6e11e4b9710890627b1f7eb51e17cf2256f60af52b33b1b4ff12cc0b7c8f0208fc26638fa081c9e1199c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53b5955a508510a4a45c0d163bc8a08c

SHA1
5846f4858be2128300c92f3f537405ab51253470

SHA256
1095301dc3b266cb56e3105c01bc6733b8620e74f369d33e092d6e5a72cd627e

SHA512
1aa08f62d11b88d76fdf0d603f47c7bbc1dcf7d6ff08077ced1bbaa7557da1c5607200f63ca1ee37754dddd93c50d0579c213752be9e4f04d6440bf68e253650

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6944a81abcfe3a25e363130fec9cdd2

SHA1
cc2addd754acc600a089656fc58b19becc6e53ac

SHA256
f56a2a387a7b23805b8663c43e212c2f1bd7d8cdbca0da7037373b3c728e3809

SHA512
2d4df845737ce7ce71bc91cb0272b473481e5b1fc2a72c0f2a295b2d2f9e60a0e2a3278eefc4e446d657d8330c04569321ad2aa17913d8042818199564e1e04f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
016bffee8cfc5721044de8aff2769127

SHA1
eaec1992d9660f1152ba7931600af135b9270871

SHA256
864a8d6c58de3684e6b934107e673e5e4c9dd7e1604211a2f19cd6a94098b71f

SHA512
98f2b8577f561fc1c9725bad7c3dbc2f27ce2e8239409cf5e44ab75343f99d58d5373fb42097aff7a4278f7752752d3faee7d251c921dfd345c92b3c7ffbddf3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c6d0e6814f03babb8ad86f7cb1c8e9b

SHA1
0e97c14c480bc4fe8eaea041fa32af8b96221a7e

SHA256
9c2a997a04d748ecc236d8e9ae77c83e56d55ca811ef61036a1e3623516da3ce

SHA512
145e37196e6fa351795d40feab9dc7bd5e67e75096b0dd8bc2c360022dcc6f0de07fee69ff6f481721b00c8550790e35f5827218b156b39119c0d8da782016cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6F69.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7056.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2736-12-0x00000000001D0000-0x0000000000285000-memory.dmp

Filesize
724KB

Download
memory/2776-5-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2840-16-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2840-13-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2840-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2840-9-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2840-8-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2840-7-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2840-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2840-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2840-4-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download