modiloader | 9f00a5fc9bdc5206d34d60f39e9872df590b4b71685afb0996e2d46e2b5a97d2

Analysis

max time kernel
53s
max time network
19s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f00a5fc9bdc5206d34d60f39e9872df590b4b71685afb0996e2d46e2b5a97d2.rtf
Size

101KB
MD5

7a9a05109dd848058fd327bc38459a3d
SHA1

a086488bd204ca42e9d522b769b94c9467ad5520
SHA256

9f00a5fc9bdc5206d34d60f39e9872df590b4b71685afb0996e2d46e2b5a97d2
SHA512

8dde56f67785f7594f1e4fe2a3b05519333daa980bae0fd84ffa34671d1d1f7507af6d04dba4909d3195db536ae2fd2782a6f45f5eb7f0df5015ca4b88e0925d
SSDEEP

768:mbTYjIXuCGvGvJSuv0AwTaTSvq1e397u1X:mojyValnaev+eNK

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 60 IoCs

resource	yara_rule
behavioral1/memory/2092-19-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-24-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-25-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-26-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-27-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-30-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-28-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-34-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-36-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-38-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-40-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-32-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-43-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-45-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-47-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-52-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-54-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-50-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-56-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-55-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-59-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-63-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-61-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-65-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-67-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-70-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-73-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-75-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-78-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-80-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-82-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-85-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-87-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-89-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-91-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-94-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-96-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-98-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-100-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-103-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-37-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-66-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-64-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-62-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-60-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-58-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-57-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-53-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-51-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-49-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-48-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-46-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-44-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-42-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-41-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-39-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-35-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-33-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-31-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2
behavioral1/memory/2092-29-0x0000000003230000-0x0000000004230000-memory.dmp	modiloader_stage2

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	3000	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2092	audiodg.exe

Loads dropped DLL 5 IoCs

pid	Process
3000	EQNEDT32.EXE
3000	EQNEDT32.EXE
1552	WerFault.exe
1552	WerFault.exe
1552	WerFault.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1552	2092	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodg.exe

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
3000	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2024	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2024	WINWORD.EXE
2024	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2092	3000	EQNEDT32.EXE	31
PID 3000 wrote to memory of 2092	3000	EQNEDT32.EXE	31
PID 3000 wrote to memory of 2092	3000	EQNEDT32.EXE	31
PID 3000 wrote to memory of 2092	3000	EQNEDT32.EXE	31
PID 2024 wrote to memory of 2692	2024	WINWORD.EXE	33
PID 2024 wrote to memory of 2692	2024	WINWORD.EXE	33
PID 2024 wrote to memory of 2692	2024	WINWORD.EXE	33
PID 2024 wrote to memory of 2692	2024	WINWORD.EXE	33
PID 2092 wrote to memory of 1552	2092	audiodg.exe	34
PID 2092 wrote to memory of 1552	2092	audiodg.exe	34
PID 2092 wrote to memory of 1552	2092	audiodg.exe	34
PID 2092 wrote to memory of 1552	2092	audiodg.exe	34

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9f00a5fc9bdc5206d34d60f39e9872df590b4b71685afb0996e2d46e2b5a97d2.rtf"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2692

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Roaming\audiodg.exe
  "C:\Users\Admin\AppData\Roaming\audiodg.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 716
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\audiodg.exe

Filesize
1.0MB

MD5
bbf710c83246092a538128620853d4fd

SHA1
95338f06c76178de31b5e8453f92c43f970ea9f9

SHA256
7ad64f279e3fa6a7d0ef2916240f1337584c5b5176fb56089771164f2905554f

SHA512
a609d92fe0d25e7db140c731af4b241d47cdaddfe735d9f7575c982ef790ab01d7f969038546e6054101b745e8c208f74e41faf246173ca0722c7b994cf94001

Download Submit
memory/2024-0-0x000000002F961000-0x000000002F962000-memory.dmp

Filesize
4KB

Download
memory/2024-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2024-2-0x0000000073CFD000-0x0000000073D08000-memory.dmp

Filesize
44KB

Download
memory/2024-21-0x0000000073CFD000-0x0000000073D08000-memory.dmp

Filesize
44KB

Download
memory/2092-16-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2092-19-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-18-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-22-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2092-24-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-25-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-26-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-27-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-30-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-28-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-34-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-36-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-38-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-40-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-32-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-43-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-45-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-47-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-52-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-54-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-50-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-56-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-55-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-59-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-63-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-61-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-65-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-67-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-70-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-73-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-75-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-78-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-80-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-82-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-85-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-87-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-89-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-91-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-94-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-96-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-98-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-100-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-103-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-37-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-66-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-64-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-62-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-60-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-58-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-57-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-53-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-51-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-49-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-48-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-46-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-44-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-42-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-41-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-39-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-35-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-33-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-31-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/2092-29-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download