modiloader | eb0786d23a2ada26a937a41d56a96514a3df0027ff857d0407d462adfba18ddb

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22-09-2024 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d63c7600ca42fe65af91ae662ef7b637.rtf
Size

78KB
MD5

d63c7600ca42fe65af91ae662ef7b637
SHA1

6f8bba7b9751ed550d0bd7f6f29e7229888ad6f9
SHA256

eb0786d23a2ada26a937a41d56a96514a3df0027ff857d0407d462adfba18ddb
SHA512

83f20a16b336f08d817bc427b39a62a0957ec4bf481b10a320e184c378e227fc2bae513245a18c056fdd34e53f0e6b192f6ca2cb16ad0ca123fdd2938dd58427
SSDEEP

384:vnHdoOarkwlJbmbKLY17V/W7ZftG5eqVdwRQb65Y2zdfGxswDRa:vnHmOarkwTzs174geqVCFux7a

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 61 IoCs

resource	yara_rule
behavioral1/memory/2024-18-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-26-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-38-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-86-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-85-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-83-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-82-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-80-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-79-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-78-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-76-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-75-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-72-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-71-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-69-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-68-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-67-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-66-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-65-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-64-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-63-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-62-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-60-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-59-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-57-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-56-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-54-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-53-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-52-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-51-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-49-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-48-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-47-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-46-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-44-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-43-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-41-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-40-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-36-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-35-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-33-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-31-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-30-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-84-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-29-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-81-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-77-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-73-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-70-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-28-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-61-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-58-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-55-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-27-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-50-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-45-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-42-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-39-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-37-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-34-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2
behavioral1/memory/2024-32-0x00000000035B0000-0x00000000045B0000-memory.dmp	modiloader_stage2

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2760	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2024	audiodg.exe

Loads dropped DLL 5 IoCs

pid	Process
2760	EQNEDT32.EXE
2760	EQNEDT32.EXE
2524	WerFault.exe
2524	WerFault.exe
2524	WerFault.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2524	2024	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodg.exe

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2760	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2708	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2708	WINWORD.EXE
2708	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2024	2760	EQNEDT32.EXE	33
PID 2760 wrote to memory of 2024	2760	EQNEDT32.EXE	33
PID 2760 wrote to memory of 2024	2760	EQNEDT32.EXE	33
PID 2760 wrote to memory of 2024	2760	EQNEDT32.EXE	33
PID 2708 wrote to memory of 2108	2708	WINWORD.EXE	35
PID 2708 wrote to memory of 2108	2708	WINWORD.EXE	35
PID 2708 wrote to memory of 2108	2708	WINWORD.EXE	35
PID 2708 wrote to memory of 2108	2708	WINWORD.EXE	35
PID 2024 wrote to memory of 2524	2024	audiodg.exe	36
PID 2024 wrote to memory of 2524	2024	audiodg.exe	36
PID 2024 wrote to memory of 2524	2024	audiodg.exe	36
PID 2024 wrote to memory of 2524	2024	audiodg.exe	36

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d63c7600ca42fe65af91ae662ef7b637.rtf"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2108

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Roaming\audiodg.exe
  "C:\Users\Admin\AppData\Roaming\audiodg.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 768
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
d5e111575b9667f666d9a6f6a407a584

SHA1
fef36198c3ee80510fc2c4e41cbec0bf205d4deb

SHA256
84af7002abdeb8625fc8389aab508cf2d64a3b047eba33fca52fdad1bef82d57

SHA512
af539a99d96a5b787c0e7f1846e51a2f6208c05a031ea94ebdc4bc8e68930a100824bb2c479e6232c7a2c3ab5b94cc2f007d551f4fd3a598be1158e81ea344e1

Download Submit
C:\Users\Admin\AppData\Roaming\audiodg.exe

Filesize
1.6MB

MD5
d2d166937422f379e6dd15041d83af21

SHA1
84e0e1e9371b52e6682303fc11b02b69a3df782d

SHA256
c59da5938f667c04ca2ba3639b6cb3d5813fc189d4b2f412613b4bfa36ae0664

SHA512
3eb977c92a6a541bafd8f5c70d6263c21be019e6124efecb5bd237cbdd24d02eb150f08c9c1bbd3e54a54ef817041a293b03d63d15ec54f18eaa10f888adf8cf

Download Submit
memory/2024-49-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-75-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-38-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-17-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-32-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-86-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-85-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-83-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-82-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-80-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-79-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-78-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-76-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-48-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-72-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-71-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-69-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-68-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-67-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-66-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-65-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-64-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-63-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-62-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-60-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-59-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-57-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-56-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-54-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-53-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-47-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-51-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-43-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-26-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-52-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-46-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-44-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-18-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-41-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-40-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-36-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-35-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-33-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-31-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-30-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-84-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-29-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-81-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-77-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-73-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-70-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-28-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-61-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-58-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-55-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-27-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-50-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-45-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-42-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-39-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-37-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2024-34-0x00000000035B0000-0x00000000045B0000-memory.dmp

Filesize
16.0MB

Download
memory/2708-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2708-0-0x000000002F151000-0x000000002F152000-memory.dmp

Filesize
4KB

Download
memory/2708-2-0x0000000070B3D000-0x0000000070B48000-memory.dmp

Filesize
44KB

Download
memory/2708-24-0x0000000070B3D000-0x0000000070B48000-memory.dmp

Filesize
44KB

Download