modiloader | 3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153

Analysis

max time kernel
45s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe
Size

90KB
MD5

7bf9c29841ddbf0a40d5ba431e05570f
SHA1

10b0e09f076ec8d46dd000a151c7e46e65d9af7d
SHA256

3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153
SHA512

a739267e8580a1af34d3351a201a899d7115d8818afff59e2569b967a4725ac0e649781e737cf871a014e128ae7d9d2f819aebd1f74b651711d3f7439ba5a6f8
SSDEEP

1536:UiYwjQt6QJvzZsgDIWzm/xsXfv+hYhyQQyV5uv4JBrB7w5VRGulTG1ZCL8nj1oDK:0wjZQJvzZsgsW6/Afv+hYfQIm4/rdE3Y

Score

10^/10

modiloader trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Detects Windows executables referencing non-Windows User-Agents 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4016-61-0x0000000000400000-0x0000000000414000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4016-59-0x0000000000400000-0x0000000000414000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4016-58-0x0000000000400000-0x0000000000414000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4016-63-0x0000000000400000-0x0000000000414000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

ModiLoader Second Stage 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4016-61-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/4016-59-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/4016-58-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/4016-63-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2

UPX dump on OEP (original entry point) 21 IoCs

Processes:

resource	yara_rule
behavioral2/memory/636-0-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/memory/636-1-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/memory/636-4-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/memory/4480-8-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/memory/4480-10-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/memory/4480-11-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/memory/636-14-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/memory/4480-21-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe	UPX
behavioral2/memory/4564-37-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/memory/4480-41-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/memory/4564-52-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/memory/4016-46-0x0000000000400000-0x0000000000414000-memory.dmp	UPX
behavioral2/memory/4564-43-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/memory/4016-56-0x0000000000400000-0x0000000000414000-memory.dmp	UPX
behavioral2/memory/4480-60-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/memory/4016-61-0x0000000000400000-0x0000000000414000-memory.dmp	UPX
behavioral2/memory/4016-59-0x0000000000400000-0x0000000000414000-memory.dmp	UPX
behavioral2/memory/4016-58-0x0000000000400000-0x0000000000414000-memory.dmp	UPX
behavioral2/memory/4016-63-0x0000000000400000-0x0000000000414000-memory.dmp	UPX
behavioral2/memory/3616-62-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/636-0-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/636-1-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/636-4-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4480-8-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4480-10-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4480-11-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/636-14-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4480-21-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe	upx
behavioral2/memory/4564-37-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4480-41-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4564-52-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4016-46-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4564-43-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4016-56-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4480-60-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4016-61-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4016-59-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4016-58-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4016-63-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/3616-62-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe

description	pid	process	target process
PID 636 set thread context of 4480	636	3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe	3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe

pid process

636 3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe
4480 3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe

pid	process
636	3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe
4480	3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe

description	pid	process	target process
PID 636 wrote to memory of 4480	636	3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe	3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe
PID 636 wrote to memory of 4480	636	3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe	3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe
PID 636 wrote to memory of 4480	636	3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe	3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe
PID 636 wrote to memory of 4480	636	3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe	3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe
PID 636 wrote to memory of 4480	636	3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe	3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe
PID 636 wrote to memory of 4480	636	3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe	3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe
PID 636 wrote to memory of 4480	636	3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe	3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe
PID 636 wrote to memory of 4480	636	3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe	3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe

C:\Users\Admin\AppData\Local\Temp\3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe
"C:\Users\Admin\AppData\Local\Temp\3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Local\Temp\3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe
"C:\Users\Admin\AppData\Local\Temp\3bc0635a62205be994eb8b5a4bcb9c72361bbc66e3cb2879b7244c03a43cc153.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCXUT.bat" "
3⤵
PID:4392

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f
4⤵
PID:3956

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
3⤵
PID:4564

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
4⤵
PID:3616

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
4⤵
PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4332 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:4976

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MCXUT.txt
Filesize
145B

MD5
4eb61ec7816c34ec8c125acadc57ec1b

SHA1
b0015cc865c0bb1a027be663027d3829401a31cc

SHA256
08375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff

SHA512
f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
Filesize
90KB

MD5
8fdb269c6505d55f94632e70f74aee1d

SHA1
d5e44edd817e756180e76148d13bf38afb6f001e

SHA256
1cc633f1e823b142e40b19ed3d126c5830cda0beb3b2ca9aa34cbffa3c947545

SHA512
1ac1d32ae1763fc9b7bc4710f3eb0f709b42e24365f5573212a237abc1a0e57fa962be66ebe6576bc6a6240016f1e54822aeb6e5891724f8a4673e00a3871771

Download Submit
memory/636-1-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/636-4-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/636-5-0x0000000002B70000-0x0000000002B72000-memory.dmp

Filesize
8KB

Download
memory/636-7-0x0000000002BA0000-0x0000000002BA2000-memory.dmp

Filesize
8KB

Download
memory/636-6-0x0000000002B90000-0x0000000002B92000-memory.dmp

Filesize
8KB

Download
memory/636-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/636-14-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3616-62-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4016-56-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4016-46-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4016-63-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4016-58-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4016-59-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4016-61-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4480-41-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4480-10-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4480-60-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4480-21-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4480-11-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4480-8-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4564-43-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4564-52-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4564-37-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download