Overview

overview

10

Static

static

10

f97daf4535...7.docx

windows7-x64

10

f97daf4535...7.docx

windows10-2004-x64

1

Analysis

  • max time kernel
    140s
  • max time network
    109s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    17/10/2022, 08:51

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    f97daf453536cc7fcc0966247dacfcca3f74f80afed72984ab416ee50e7f55b7.docx

  • Size

    10KB

  • MD5

    999c903533810bea1eb49c81eb05ce32

  • SHA1

    fb7fd4f0d4d10ec19c1c8df0a4fe8cddec0d5919

  • SHA256

    f97daf453536cc7fcc0966247dacfcca3f74f80afed72984ab416ee50e7f55b7

  • SHA512

    f98f755da448fcd057d95723a345e50c107a1178d9a826e01a6e6fa9404a152292f9c169454c9520a0e748f2b99bac4a1a8d7acc5f30ed41beb09de9973d33a1

  • SSDEEP

    192:ScIMmtPYqPC7UpG/bkpbJNOMZrdlJFtGxV3IBR:SPXgqPCfIJNOMZjJFtGxxIz

Score
10/10
modiloadertrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Abuses OpenXML format to download file from external location 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f97daf453536cc7fcc0966247dacfcca3f74f80afed72984ab416ee50e7f55b7.docx"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:240
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:980
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1564
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:764

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Public\vbc.exe
            Filesize

            994KB

            MD5

            d6def0e428d8b88ddff3ab2f8363eb03

            SHA1

            bcdcc032b8d6622bf4a3b69def96b55f431ba468

            SHA256

            d41c5c3249418aac220199c5b077f1a6daa15dfc01dfabd451eea1e93e68be95

            SHA512

            9a8b1efc2b878ff88542febfb3417ad92a07954ccefa94216ac5cbefd86f890edeb06e16d52bf85274a2f2faf1213e57d99ca288ddcb468db0ca4aed37442aa6

            Download Submit

          • \Users\Public\vbc.exe
            Filesize

            994KB

            MD5

            d6def0e428d8b88ddff3ab2f8363eb03

            SHA1

            bcdcc032b8d6622bf4a3b69def96b55f431ba468

            SHA256

            d41c5c3249418aac220199c5b077f1a6daa15dfc01dfabd451eea1e93e68be95

            SHA512

            9a8b1efc2b878ff88542febfb3417ad92a07954ccefa94216ac5cbefd86f890edeb06e16d52bf85274a2f2faf1213e57d99ca288ddcb468db0ca4aed37442aa6

            Download Submit

          • \Users\Public\vbc.exe
            Filesize

            994KB

            MD5

            d6def0e428d8b88ddff3ab2f8363eb03

            SHA1

            bcdcc032b8d6622bf4a3b69def96b55f431ba468

            SHA256

            d41c5c3249418aac220199c5b077f1a6daa15dfc01dfabd451eea1e93e68be95

            SHA512

            9a8b1efc2b878ff88542febfb3417ad92a07954ccefa94216ac5cbefd86f890edeb06e16d52bf85274a2f2faf1213e57d99ca288ddcb468db0ca4aed37442aa6

            Download Submit

          • \Users\Public\vbc.exe
            Filesize

            994KB

            MD5

            d6def0e428d8b88ddff3ab2f8363eb03

            SHA1

            bcdcc032b8d6622bf4a3b69def96b55f431ba468

            SHA256

            d41c5c3249418aac220199c5b077f1a6daa15dfc01dfabd451eea1e93e68be95

            SHA512

            9a8b1efc2b878ff88542febfb3417ad92a07954ccefa94216ac5cbefd86f890edeb06e16d52bf85274a2f2faf1213e57d99ca288ddcb468db0ca4aed37442aa6

            Download Submit

          • \Users\Public\vbc.exe
            Filesize

            994KB

            MD5

            d6def0e428d8b88ddff3ab2f8363eb03

            SHA1

            bcdcc032b8d6622bf4a3b69def96b55f431ba468

            SHA256

            d41c5c3249418aac220199c5b077f1a6daa15dfc01dfabd451eea1e93e68be95

            SHA512

            9a8b1efc2b878ff88542febfb3417ad92a07954ccefa94216ac5cbefd86f890edeb06e16d52bf85274a2f2faf1213e57d99ca288ddcb468db0ca4aed37442aa6

            Download Submit

          • memory/240-58-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

            Filesize

            44KB

            Download

          • memory/240-59-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

            Filesize

            44KB

            Download

          • memory/240-54-0x0000000072261000-0x0000000072264000-memory.dmp

            Filesize

            12KB

            Download

          • memory/240-57-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

            Filesize

            8KB

            Download

          • memory/240-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/240-55-0x000000006FCE1000-0x000000006FCE3000-memory.dmp

            Filesize

            8KB

            Download

          • memory/240-72-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/240-73-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

            Filesize

            44KB

            Download

          • memory/764-68-0x0000000000700000-0x000000000072D000-memory.dmp

            Filesize

            180KB

            Download

          • memory/980-71-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

            Filesize

            8KB

            Download