modiloader | b307218533a96ecefbdab4fad0dec64baec07ef261e7985b899a4c43b1325892

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20/01/2025, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c67c61c88599a7c48fce6f41d2f824af.exe
Size

973KB
MD5

c67c61c88599a7c48fce6f41d2f824af
SHA1

774d18c58980225ed4321ad479b0e7a45ab84efa
SHA256

b307218533a96ecefbdab4fad0dec64baec07ef261e7985b899a4c43b1325892
SHA512

3f155a898a5222339acc7ea69abe6d21f87647473f98a0ee88f12a6a41ee9fd615f3163a46d6518c31d5c8360586acf4c08798a2faa0e924bb7062a587fe14c8
SSDEEP

24576:bBVRVxmQEkZkjSnbyewh+lMewKe9X7yxw7IYNoIjSst8H2se:bBmB+Q+SJwxw7IYNbjSi8H2se

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 62 IoCs

resource	yara_rule
behavioral1/memory/2340-2-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-14-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-12-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-10-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-8-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-84-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-48-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-46-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-45-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-43-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-41-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-39-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-37-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-35-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-32-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-30-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-29-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-27-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-25-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-23-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-22-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-20-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-19-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-17-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-16-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-15-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-82-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-80-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-77-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-13-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-74-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-72-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-70-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-67-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-65-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-63-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-61-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-58-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-11-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-56-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-53-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-50-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-51-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-49-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-47-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-9-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-44-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-42-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-40-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-38-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-36-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-34-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-33-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-7-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-31-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-28-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-26-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-24-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-6-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-21-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-18-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-5-0x0000000003010000-0x0000000004010000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
3052	svchost.pif
1952	svchost.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mrtitfkx = "C:\\Users\\Public\\Mrtitfkx.url"	c67c61c88599a7c48fce6f41d2f824af.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
4	drive.google.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2708	2340	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c67c61c88599a7c48fce6f41d2f824af.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2920	2340	c67c61c88599a7c48fce6f41d2f824af.exe	31
PID 2340 wrote to memory of 2920	2340	c67c61c88599a7c48fce6f41d2f824af.exe	31
PID 2340 wrote to memory of 2920	2340	c67c61c88599a7c48fce6f41d2f824af.exe	31
PID 2340 wrote to memory of 2920	2340	c67c61c88599a7c48fce6f41d2f824af.exe	31
PID 2340 wrote to memory of 1772	2340	c67c61c88599a7c48fce6f41d2f824af.exe	33
PID 2340 wrote to memory of 1772	2340	c67c61c88599a7c48fce6f41d2f824af.exe	33
PID 2340 wrote to memory of 1772	2340	c67c61c88599a7c48fce6f41d2f824af.exe	33
PID 2340 wrote to memory of 1772	2340	c67c61c88599a7c48fce6f41d2f824af.exe	33
PID 2340 wrote to memory of 1960	2340	c67c61c88599a7c48fce6f41d2f824af.exe	37
PID 2340 wrote to memory of 1960	2340	c67c61c88599a7c48fce6f41d2f824af.exe	37
PID 2340 wrote to memory of 1960	2340	c67c61c88599a7c48fce6f41d2f824af.exe	37
PID 2340 wrote to memory of 1960	2340	c67c61c88599a7c48fce6f41d2f824af.exe	37
PID 2340 wrote to memory of 2708	2340	c67c61c88599a7c48fce6f41d2f824af.exe	38
PID 2340 wrote to memory of 2708	2340	c67c61c88599a7c48fce6f41d2f824af.exe	38
PID 2340 wrote to memory of 2708	2340	c67c61c88599a7c48fce6f41d2f824af.exe	38
PID 2340 wrote to memory of 2708	2340	c67c61c88599a7c48fce6f41d2f824af.exe	38

C:\Users\Admin\AppData\Local\Temp\c67c61c88599a7c48fce6f41d2f824af.exe
"C:\Users\Admin\AppData\Local\Temp\c67c61c88599a7c48fce6f41d2f824af.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Public\MrtitfkxF.cmd" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Public\Libraries\FX.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1772
- - C:\Windows \SysWOW64\svchost.pif
    "C:\Windows \SysWOW64\svchost.pif"
    3⤵
    - Executes dropped EXE
    PID:3052
- - C:\Windows \SysWOW64\svchost.pif
    "C:\Windows \SysWOW64\svchost.pif"
    3⤵
    - Executes dropped EXE
    PID:1952
- C:\Windows\SysWOW64\SndVol.exe
  C:\Windows\System32\SndVol.exe
  2⤵
  PID:1960
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 1240
  2⤵
  - Program crash
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\FX.cmd

Filesize
8KB

MD5
7821e3de3812e791cf3b223500d73bc9

SHA1
5e211b634ce77e6fee83ce8a5b8c9a37c8b81e1d

SHA256
3daa7f9eee129f61f7a452f7150ee21a1c4141586a37f37842b9c3bb53152a74

SHA512
6eae270065401626df97b73a255578bf27b4f4dea480954843823046ad95e40cf706c1a767c8765ef3ab48ea3a18498375614317ec00a9ef29a4dd21edbc5f26

Download Submit
C:\Users\Public\MrtitfkxF.cmd

Filesize
11KB

MD5
f82aeb3b12f33250e404df6ec873dd1d

SHA1
bcf538f64457e8d19da89229479cafa9c4cce12f

SHA256
23b7417b47c7efb96fb7ce395e325dc831ab2ee03eadda59058d31bdbe9c1ea6

SHA512
6f9d6daeed78f45f0f83310b95f47cc0a96d1db1d7f6c2e2485d7a8ecb04fee9865eec3599fee2d67f3332f68a70059f1a6a40050b93ef44d55632c24d108977

Download Submit
C:\Windows \SysWOW64\svchost.pif

Filesize
94KB

MD5
869640d0a3f838694ab4dfea9e2f544d

SHA1
bdc42b280446ba53624ff23f314aadb861566832

SHA256
0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323

SHA512
6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

Download Submit
memory/2340-0-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2340-2-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-1-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-14-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-12-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-10-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-8-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-84-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-48-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-46-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-45-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-43-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-41-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-39-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-37-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-35-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-32-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-30-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-29-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-27-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-25-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-23-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-22-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-20-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-19-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-17-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-16-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-15-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-82-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-80-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-77-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-13-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-74-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-72-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-70-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-67-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-65-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-63-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-61-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-58-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-11-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-56-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-53-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-50-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-51-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-49-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-47-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-9-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-44-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-42-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-40-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-38-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-36-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-34-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-33-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-7-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-31-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-28-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-26-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-24-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-6-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-21-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-18-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/2340-5-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads