modiloader | 26f2439cf56b5fd64aa2b22519e33aff692bb9af18a24bc3ba1f450840d7a476

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13903a7e289cc092e67b748dfea5389c.exe
Size

489KB
MD5

13903a7e289cc092e67b748dfea5389c
SHA1

5c4c944e6bc42212165379ce8fa707672a5be10d
SHA256

26f2439cf56b5fd64aa2b22519e33aff692bb9af18a24bc3ba1f450840d7a476
SHA512

f0f74ef891ca08800b58e1e311cbe30be669ce24510c08509380392e2eaa7a3216a1ffeac61c50a5e89211efe546d6fbe368139deb8dfa26e9bc54473c9783f3
SSDEEP

12288:SRyk2lzMdfiZRMGs+S2AjS8ocJxmH5I0I:myk2lzGiQMc98ZIh

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2764-37-0x0000000000400000-0x0000000000595000-memory.dmp	modiloader_stage2
behavioral1/memory/3044-38-0x0000000000400000-0x0000000000595000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2808 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

view.exe

pid process

3044 view.exe
Loads dropped DLL 2 IoCs

Processes:

13903a7e289cc092e67b748dfea5389c.exe

pid process

2764 13903a7e289cc092e67b748dfea5389c.exe
2764 13903a7e289cc092e67b748dfea5389c.exe
Drops file in System32 directory 2 IoCs

Processes:

view.exe

description ioc process

File created C:\Windows\SysWOW64\_view.exe view.exe
File opened for modification C:\Windows\SysWOW64\_view.exe view.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

view.exe

description pid process target process

PID 3044 set thread context of 2592 3044 view.exe calc.exe
PID 3044 set thread context of 2696 3044 view.exe svchost.exe

pid	process
2808	cmd.exe

pid	process
3044	view.exe

pid	process
2764	13903a7e289cc092e67b748dfea5389c.exe
2764	13903a7e289cc092e67b748dfea5389c.exe

description	ioc	process
File created	C:\Windows\SysWOW64\_view.exe	view.exe
File opened for modification	C:\Windows\SysWOW64\_view.exe	view.exe

description	pid	process	target process
PID 3044 set thread context of 2592	3044	view.exe	calc.exe
PID 3044 set thread context of 2696	3044	view.exe	svchost.exe

Drops file in Program Files directory 3 IoCs

Processes:

13903a7e289cc092e67b748dfea5389c.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\view.exe	13903a7e289cc092e67b748dfea5389c.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\view.exe	13903a7e289cc092e67b748dfea5389c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat	13903a7e289cc092e67b748dfea5389c.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

13903a7e289cc092e67b748dfea5389c.exeview.exe

description	pid	process	target process
PID 2764 wrote to memory of 3044	2764	13903a7e289cc092e67b748dfea5389c.exe	view.exe
PID 2764 wrote to memory of 3044	2764	13903a7e289cc092e67b748dfea5389c.exe	view.exe
PID 2764 wrote to memory of 3044	2764	13903a7e289cc092e67b748dfea5389c.exe	view.exe
PID 2764 wrote to memory of 3044	2764	13903a7e289cc092e67b748dfea5389c.exe	view.exe
PID 3044 wrote to memory of 2592	3044	view.exe	calc.exe
PID 3044 wrote to memory of 2592	3044	view.exe	calc.exe
PID 3044 wrote to memory of 2592	3044	view.exe	calc.exe
PID 3044 wrote to memory of 2592	3044	view.exe	calc.exe
PID 3044 wrote to memory of 2592	3044	view.exe	calc.exe
PID 3044 wrote to memory of 2592	3044	view.exe	calc.exe
PID 3044 wrote to memory of 2696	3044	view.exe	svchost.exe
PID 3044 wrote to memory of 2696	3044	view.exe	svchost.exe
PID 3044 wrote to memory of 2696	3044	view.exe	svchost.exe
PID 3044 wrote to memory of 2696	3044	view.exe	svchost.exe
PID 3044 wrote to memory of 2696	3044	view.exe	svchost.exe
PID 3044 wrote to memory of 2696	3044	view.exe	svchost.exe
PID 2764 wrote to memory of 2808	2764	13903a7e289cc092e67b748dfea5389c.exe	cmd.exe
PID 2764 wrote to memory of 2808	2764	13903a7e289cc092e67b748dfea5389c.exe	cmd.exe
PID 2764 wrote to memory of 2808	2764	13903a7e289cc092e67b748dfea5389c.exe	cmd.exe
PID 2764 wrote to memory of 2808	2764	13903a7e289cc092e67b748dfea5389c.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\13903a7e289cc092e67b748dfea5389c.exe
"C:\Users\Admin\AppData\Local\Temp\13903a7e289cc092e67b748dfea5389c.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2764

C:\Program Files\Common Files\Microsoft Shared\MSINFO\view.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\view.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\calc.exe
"C:\Windows\system32\calc.exe"
3⤵
PID:2592

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
PID:2696

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""
2⤵
- Deletes itself
PID:2808

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\Delet.bat
Filesize
184B

MD5
24c97ebb99b9e272f65481a127d73783

SHA1
087e314e75c92518edb945240b7a184e72dbd0bf

SHA256
311e13ef70e17292a3483d18799338851bd62ffe27856a2b2b65eff5d57c4db9

SHA512
fa7c7e970bb717f22d7c5a75fc1590877bc12eab1a449906fec77899a3994c92df171b253b276ad02a1825e4f7737f8f797ee372d13e3ef7f53e9fd1b128b809

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\view.exe
Filesize
489KB

MD5
13903a7e289cc092e67b748dfea5389c

SHA1
5c4c944e6bc42212165379ce8fa707672a5be10d

SHA256
26f2439cf56b5fd64aa2b22519e33aff692bb9af18a24bc3ba1f450840d7a476

SHA512
f0f74ef891ca08800b58e1e311cbe30be669ce24510c08509380392e2eaa7a3216a1ffeac61c50a5e89211efe546d6fbe368139deb8dfa26e9bc54473c9783f3

Download Submit
memory/2592-23-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/2592-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2696-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2764-4-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2764-11-0x00000000031D0000-0x0000000003365000-memory.dmp

Filesize
1.6MB

Download
memory/2764-0-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/2764-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2764-37-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/3044-14-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3044-13-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/3044-18-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3044-38-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads