modiloader | 4410fd44f9c8afef8f62d88ed72d3992332e3d8b27bff4652ef7c27cf2f70d09

Analysis

max time kernel
270s
max time network
214s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperV1.14.exe
Size

421KB
MD5

17020d673c9355ed597bf69dddbd0b68
SHA1

b524e4e65526e8cf65b6ea60c080b60ad738a44c
SHA256

b70a30f72b328ae08926a668d94bbf15c45abc50e57667a3d9ab6d61fa4c417b
SHA512

ade8acdbb7a689351b57ed02d89aa03b9ed15b7dfff84b99fc5a7d365f34467a8f4f60ad82fc05ea0fc95aee99c5a00ada53bf1ce1f2bf7f0ee6d1ea7e98ffb4
SSDEEP

6144:hLy84u9nSO2GjZkD10BIY3rb1YfBdfpoZ3u/Ht52w6JSeiFPXouPhG:p+u9nx2GjMY3XKfd/H/9PrPhG

Score

10^/10

modiloader defense_evasion discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 17 IoCs

resource	yara_rule
behavioral3/files/0x00070000000242a6-1.dat	modiloader_stage2
behavioral3/memory/2952-7-0x0000000000400000-0x0000000000470000-memory.dmp	modiloader_stage2
behavioral3/memory/2824-9-0x0000000000400000-0x0000000000470000-memory.dmp	modiloader_stage2
behavioral3/memory/5568-8-0x0000000000400000-0x0000000000470000-memory.dmp	modiloader_stage2
behavioral3/memory/2952-11-0x0000000000400000-0x0000000000470000-memory.dmp	modiloader_stage2
behavioral3/memory/5568-12-0x0000000000400000-0x0000000000470000-memory.dmp	modiloader_stage2
behavioral3/memory/2952-14-0x0000000000400000-0x0000000000470000-memory.dmp	modiloader_stage2
behavioral3/memory/2824-16-0x0000000000400000-0x0000000000470000-memory.dmp	modiloader_stage2
behavioral3/memory/5568-15-0x0000000000400000-0x0000000000470000-memory.dmp	modiloader_stage2
behavioral3/memory/2952-17-0x0000000000400000-0x0000000000470000-memory.dmp	modiloader_stage2
behavioral3/memory/5568-18-0x0000000000400000-0x0000000000470000-memory.dmp	modiloader_stage2
behavioral3/memory/2824-19-0x0000000000400000-0x0000000000470000-memory.dmp	modiloader_stage2
behavioral3/memory/2952-20-0x0000000000400000-0x0000000000470000-memory.dmp	modiloader_stage2
behavioral3/memory/2824-22-0x0000000000400000-0x0000000000470000-memory.dmp	modiloader_stage2
behavioral3/memory/5568-21-0x0000000000400000-0x0000000000470000-memory.dmp	modiloader_stage2
behavioral3/memory/2952-23-0x0000000000400000-0x0000000000470000-memory.dmp	modiloader_stage2
behavioral3/memory/5568-24-0x0000000000400000-0x0000000000470000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
5568	BootstrapperV1.14.exe
2824	BootstrapperV1.14.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	BootstrapperV1.14.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	BootstrapperV1.14.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	BootstrapperV1.14.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	BootstrapperV1.14.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	BootstrapperV1.14.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	BootstrapperV1.14.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BootstrapperV1.14.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BootstrapperV1.14.exe"	BootstrapperV1.14.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BootstrapperV1.14.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BootstrapperV1.14.exe"	BootstrapperV1.14.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BootstrapperV1.14.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BootstrapperV1.14.exe"	BootstrapperV1.14.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperV1.14.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperV1.14.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperV1.14.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5568	BootstrapperV1.14.exe
5568	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
5568	BootstrapperV1.14.exe
5568	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
5568	BootstrapperV1.14.exe
5568	BootstrapperV1.14.exe
5568	BootstrapperV1.14.exe
5568	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
5568	BootstrapperV1.14.exe
5568	BootstrapperV1.14.exe
5568	BootstrapperV1.14.exe
5568	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
5568	BootstrapperV1.14.exe
5568	BootstrapperV1.14.exe
5568	BootstrapperV1.14.exe
5568	BootstrapperV1.14.exe
2824	BootstrapperV1.14.exe
2824	BootstrapperV1.14.exe
2824	BootstrapperV1.14.exe
2824	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
5568	BootstrapperV1.14.exe
5568	BootstrapperV1.14.exe
5568	BootstrapperV1.14.exe
5568	BootstrapperV1.14.exe
2824	BootstrapperV1.14.exe
2824	BootstrapperV1.14.exe
2824	BootstrapperV1.14.exe
2824	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
5568	BootstrapperV1.14.exe
5568	BootstrapperV1.14.exe
5568	BootstrapperV1.14.exe
5568	BootstrapperV1.14.exe
2824	BootstrapperV1.14.exe
2824	BootstrapperV1.14.exe
2824	BootstrapperV1.14.exe
2824	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe
2952	BootstrapperV1.14.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1964	explorer.exe
Token: SeCreatePagefilePrivilege	1964	explorer.exe
Token: SeShutdownPrivilege	1964	explorer.exe
Token: SeCreatePagefilePrivilege	1964	explorer.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 5568	2068	cmd.exe	89
PID 2068 wrote to memory of 5568	2068	cmd.exe	89
PID 2068 wrote to memory of 5568	2068	cmd.exe	89
PID 1476 wrote to memory of 2824	1476	cmd.exe	92
PID 1476 wrote to memory of 2824	1476	cmd.exe	92
PID 1476 wrote to memory of 2824	1476	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.14.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.14.exe"
1⤵
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.14.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.14.exe
  C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.14.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.14.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.14.exe
  C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.14.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2824

C:\Windows\explorer.exe
explorer.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.14.exe

Filesize
421KB

MD5
17020d673c9355ed597bf69dddbd0b68

SHA1
b524e4e65526e8cf65b6ea60c080b60ad738a44c

SHA256
b70a30f72b328ae08926a668d94bbf15c45abc50e57667a3d9ab6d61fa4c417b

SHA512
ade8acdbb7a689351b57ed02d89aa03b9ed15b7dfff84b99fc5a7d365f34467a8f4f60ad82fc05ea0fc95aee99c5a00ada53bf1ce1f2bf7f0ee6d1ea7e98ffb4

Download Submit
memory/2824-10-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2824-22-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2824-4-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2824-19-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2824-16-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2824-9-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2952-17-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2952-0-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2952-23-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2952-11-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2952-7-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2952-14-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2952-20-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2952-5-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/5568-12-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/5568-18-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/5568-15-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/5568-6-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/5568-2-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/5568-21-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/5568-8-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/5568-24-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download