modiloader | 9f00a5fc9bdc5206d34d60f39e9872df590b4b71685afb0996e2d46e2b5a97d2

Analysis

max time kernel
140s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/09/2024, 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f00a5fc9bdc5206d34d60f39e9872df590b4b71685afb0996e2d46e2b5a97d2.rtf
Size

101KB
MD5

7a9a05109dd848058fd327bc38459a3d
SHA1

a086488bd204ca42e9d522b769b94c9467ad5520
SHA256

9f00a5fc9bdc5206d34d60f39e9872df590b4b71685afb0996e2d46e2b5a97d2
SHA512

8dde56f67785f7594f1e4fe2a3b05519333daa980bae0fd84ffa34671d1d1f7507af6d04dba4909d3195db536ae2fd2782a6f45f5eb7f0df5015ca4b88e0925d
SSDEEP

768:mbTYjIXuCGvGvJSuv0AwTaTSvq1e397u1X:mojyValnaev+eNK

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 60 IoCs

resource	yara_rule
behavioral1/memory/2560-20-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-31-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-34-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-36-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-25-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-39-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-43-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-46-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-50-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-26-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-53-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-55-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-60-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-63-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-27-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-65-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-68-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-74-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-71-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-77-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-79-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-82-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-28-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-29-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-32-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-64-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-84-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-83-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-81-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-80-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-78-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-76-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-75-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-72-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-70-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-69-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-67-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-66-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-62-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-61-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-59-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-58-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-57-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-56-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-54-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-52-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-51-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-49-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-48-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-47-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-45-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-44-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-42-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-41-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-40-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-38-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-37-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-35-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-33-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-30-0x00000000031E0000-0x00000000041E0000-memory.dmp	modiloader_stage2

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2892	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2560	audiodg.exe

Loads dropped DLL 5 IoCs

pid	Process
2892	EQNEDT32.EXE
2892	EQNEDT32.EXE
1840	WerFault.exe
1840	WerFault.exe
1840	WerFault.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1840	2560	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2892	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2900	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2900	WINWORD.EXE
2900	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2560	2892	EQNEDT32.EXE	33
PID 2892 wrote to memory of 2560	2892	EQNEDT32.EXE	33
PID 2892 wrote to memory of 2560	2892	EQNEDT32.EXE	33
PID 2892 wrote to memory of 2560	2892	EQNEDT32.EXE	33
PID 2900 wrote to memory of 1112	2900	WINWORD.EXE	35
PID 2900 wrote to memory of 1112	2900	WINWORD.EXE	35
PID 2900 wrote to memory of 1112	2900	WINWORD.EXE	35
PID 2900 wrote to memory of 1112	2900	WINWORD.EXE	35
PID 2560 wrote to memory of 1840	2560	audiodg.exe	36
PID 2560 wrote to memory of 1840	2560	audiodg.exe	36
PID 2560 wrote to memory of 1840	2560	audiodg.exe	36
PID 2560 wrote to memory of 1840	2560	audiodg.exe	36

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9f00a5fc9bdc5206d34d60f39e9872df590b4b71685afb0996e2d46e2b5a97d2.rtf"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1112

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Roaming\audiodg.exe
  "C:\Users\Admin\AppData\Roaming\audiodg.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 716
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
e0ddab4d3057a6120f77ac3873a0667e

SHA1
264afe13a44196ab1c35a83d9736ca2140e6015f

SHA256
ceedcb97af3bc5cdba7560964ee665321877858bf979beeb94366df6c2dd34ac

SHA512
6372af6138956303155d3e52003b1d17943dd574db5ccb0eb2ddea5d12c889630981b363f89718290c4ae28c1981ac2f452ab77026d65c2f2c54f069b75bc8de

Download Submit
C:\Users\Admin\AppData\Roaming\audiodg.exe

Filesize
1.0MB

MD5
bbf710c83246092a538128620853d4fd

SHA1
95338f06c76178de31b5e8453f92c43f970ea9f9

SHA256
7ad64f279e3fa6a7d0ef2916240f1337584c5b5176fb56089771164f2905554f

SHA512
a609d92fe0d25e7db140c731af4b241d47cdaddfe735d9f7575c982ef790ab01d7f969038546e6054101b745e8c208f74e41faf246173ca0722c7b994cf94001

Download Submit
memory/2560-81-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-76-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-20-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-23-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2560-22-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2560-31-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-34-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-36-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-25-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-39-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-43-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-46-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-50-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-26-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-53-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-55-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-60-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-63-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-27-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-65-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-68-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-74-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-71-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-77-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-79-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-82-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-28-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-29-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-32-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-64-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-84-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-83-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-17-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2560-75-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-19-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-78-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-80-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-72-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-70-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-69-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-67-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-66-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-62-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-61-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-59-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-58-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-57-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-56-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-54-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-52-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-51-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-49-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-48-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-47-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-45-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-44-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-42-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-41-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-40-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-38-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-37-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-35-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-33-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2560-30-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2900-0-0x000000002FDC1000-0x000000002FDC2000-memory.dmp

Filesize
4KB

Download
memory/2900-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2900-2-0x0000000070F8D000-0x0000000070F98000-memory.dmp

Filesize
44KB

Download
memory/2900-4-0x0000000070F8D000-0x0000000070F98000-memory.dmp

Filesize
44KB

Download
memory/2900-140-0x0000000070F8D000-0x0000000070F98000-memory.dmp

Filesize
44KB

Download