modiloader | e67fa62cff0b9fbd5b243bc7d4bfa223f666b923565caf1bac43d396acba0c16

Analysis

max time kernel
41s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

barney-error-maker.exe
Size

24.9MB
MD5

96a692baf16c64b02b04bc0d2901b0ae
SHA1

d3e593d40bd792f2f2b1feea437ab876d4af8c96
SHA256

e67fa62cff0b9fbd5b243bc7d4bfa223f666b923565caf1bac43d396acba0c16
SHA512

ac89e76bbaef58a4fdb932da2f066baed95277914c147dcbd20347bec0b26b05f6174c3889c954eed3ced3dc7c14561b237207ffb608c4d7271c0f12fa66bfa3
SSDEEP

786432:vsobryy55Kj5EN9VZl+Z1Mb8w7kYOSbg0FLq:vtXysKjWNjZl+Z1LwwYOrr

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1660-1-0x0000000000400000-0x00000000004DA000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-2-0x0000000000400000-0x00000000004DA000-memory.dmp	modiloader_stage2

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings firefox.exe
Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

firefox.exe

pid process

4604 firefox.exe
4604 firefox.exe
4604 firefox.exe
4604 firefox.exe
4604 firefox.exe
4604 firefox.exe
4604 firefox.exe
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

firefox.exe

pid process

4604 firefox.exe
4604 firefox.exe
4604 firefox.exe
4604 firefox.exe
4604 firefox.exe
4604 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

4604 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	firefox.exe

pid	process
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe

pid	process
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe

pid	process
4604	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exefirefox.exe

description	pid	process	target process
PID 3648 wrote to memory of 4604	3648	firefox.exe	firefox.exe
PID 3648 wrote to memory of 4604	3648	firefox.exe	firefox.exe
PID 3648 wrote to memory of 4604	3648	firefox.exe	firefox.exe
PID 3648 wrote to memory of 4604	3648	firefox.exe	firefox.exe
PID 3648 wrote to memory of 4604	3648	firefox.exe	firefox.exe
PID 3648 wrote to memory of 4604	3648	firefox.exe	firefox.exe
PID 3648 wrote to memory of 4604	3648	firefox.exe	firefox.exe
PID 3648 wrote to memory of 4604	3648	firefox.exe	firefox.exe
PID 3648 wrote to memory of 4604	3648	firefox.exe	firefox.exe
PID 2824 wrote to memory of 1772	2824	firefox.exe	firefox.exe
PID 2824 wrote to memory of 1772	2824	firefox.exe	firefox.exe
PID 3648 wrote to memory of 4604	3648	firefox.exe	firefox.exe
PID 3648 wrote to memory of 4604	3648	firefox.exe	firefox.exe
PID 2824 wrote to memory of 1772	2824	firefox.exe	firefox.exe
PID 2824 wrote to memory of 1772	2824	firefox.exe	firefox.exe
PID 2824 wrote to memory of 1772	2824	firefox.exe	firefox.exe
PID 2824 wrote to memory of 1772	2824	firefox.exe	firefox.exe
PID 2824 wrote to memory of 1772	2824	firefox.exe	firefox.exe
PID 2824 wrote to memory of 1772	2824	firefox.exe	firefox.exe
PID 2824 wrote to memory of 1772	2824	firefox.exe	firefox.exe
PID 2824 wrote to memory of 1772	2824	firefox.exe	firefox.exe
PID 2824 wrote to memory of 1772	2824	firefox.exe	firefox.exe
PID 4604 wrote to memory of 4844	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 4844	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe
PID 4604 wrote to memory of 5092	4604	firefox.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\barney-error-maker.exe
"C:\Users\Admin\AppData\Local\Temp\barney-error-maker.exe"
1⤵
PID:1660

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3648

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4604

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.0.1960690341\473162012" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d132356-3b4a-4e81-9888-e2a471997ed8} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 1964 219912c9d58 gpu
3⤵
PID:4844

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.1.1733920386\184414913" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0ae7af8-4b4c-4a67-a77e-d2868eb4606a} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 2364 2199120d558 socket
3⤵
PID:5092

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.2.1697693390\1997657335" -childID 1 -isForBrowser -prefsHandle 3220 -prefMapHandle 3216 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8057d223-62f1-4e08-90ee-8058f927f7da} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 3232 219950fd858 tab
3⤵
PID:5024

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.3.1901359426\811331808" -childID 2 -isForBrowser -prefsHandle 3392 -prefMapHandle 3528 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {964adcc7-cee0-4efc-bcab-7107c09879ad} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 3540 21993bb9858 tab
3⤵
PID:4076

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.4.1288664327\1916077506" -childID 3 -isForBrowser -prefsHandle 3804 -prefMapHandle 3792 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f934d0ff-f657-4abd-ae0b-b16c93af4186} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 3816 21996147b58 tab
3⤵
PID:4748

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.5.1126363015\473300009" -childID 4 -isForBrowser -prefsHandle 5024 -prefMapHandle 5020 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e7da971-e53e-45c6-a879-edb656bd3f24} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 4524 21993bb7458 tab
3⤵
PID:5608

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.6.1226596990\1726230643" -childID 5 -isForBrowser -prefsHandle 5080 -prefMapHandle 5092 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bc62341-0de6-4ab2-8fdb-c0aa57039852} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 5052 21999092f58 tab
3⤵
PID:5616

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.7.456398503\1967021867" -childID 6 -isForBrowser -prefsHandle 5064 -prefMapHandle 5068 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dba385b2-72ef-413b-a945-b9d5b31aec2f} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 5208 21999090258 tab
3⤵
PID:5624

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2824

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin
Filesize
3KB

MD5
e43d58edf105e0af4e6cfefff8a602a9

SHA1
ce44820c71fc8d4021d3705e732d953b6f180c80

SHA256
e370ec8811bf6c7cc3f762ed1789f7336dd6d960e7eaf20aabf63686027a65b1

SHA512
723468019dc48c7f6c2ac607298629f3b842d29b5514e8b033f51ad55fc1614a8e3040af2f60324b599e0323fefc3f1aabc3bea0b5b07f13028e604dd114c3f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
3a1287a95120d6fc114a02674cb362bd

SHA1
76e8bc915dfe17b564ba31e10a8b9e6a999e9c4a

SHA256
62799033d6ad4968b00b36e44e1f0198f31b281506f6a6f5988a505838747e6f

SHA512
8b24947396961be764895f92666d09bb89755e538a02fa63f5dc980a0a9c3084ee88a80d547440ae3a4b5b2569ef8bf3cea9cfe1aa9ae80c923d568a44924fe1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\33dbcc8e-bec0-4f67-8bff-5ad60292e201
Filesize
11KB

MD5
b94fd7ea6f2b9eb451a152611642353b

SHA1
4870436abcf318475714231af6e245c568d611cb

SHA256
5c890d7205191d8739ca6de6f5000c80854f428c25adb41b79517d917b4c3814

SHA512
f044bc6d55246908341d69ba50179762d5923c91aa34aebc453b7aba73d2476865ca86b2b05b35abf236d868fef81935d2968d9f4826554e65ccfa4c82afc1a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\4c878dde-e630-46e4-ae38-3658fbbbee74
Filesize
746B

MD5
2bded581cf8e8d6d88ada4b5589b3bfd

SHA1
18b8f25dc88df7680c2efb2fb807ecb887fe433f

SHA256
a10534be4db7a18d4ba1886665e85878cfcd26171826d8ede8376b344f90844d

SHA512
85edbe3029e6bc3e5d690e09310c1334f02a47e5fefd945c2e8fbae389a88e7b335a21b99f3da75477e8222a5cf0eff7ecff4052a24f8e8f3a6fd5a511dbc14b

Download Submit
memory/1660-0-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1660-1-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/1660-2-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download