modiloader | 94519fee9d47fd0262d1dd50e0bf20ea7cb0962b3a1e1de217c5f462b0633fab

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2025 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94519fee9d47fd0262d1dd50e0bf20ea7cb0962b3a1e1de217c5f462b0633fab.doc
Size

143KB
MD5

c8e60db8174345c243187675d4c760de
SHA1

34bdd0903708f1ab747cbb45a6a292517e1df83e
SHA256

94519fee9d47fd0262d1dd50e0bf20ea7cb0962b3a1e1de217c5f462b0633fab
SHA512

ae643f21123ef8514bf4ac405f0f385534b7d87fa681669d8bc276b81cecfce0e4660843aa442ec52882ca66e8f7cf80c3952bd0fc039ac5dc0d8047b970e769
SSDEEP

1536:L7dgmjjy2lQkySTUb2roegTK+g9WomfaQjSqttJnkL5mS9kBwNR42q8Z:LZPjbTU+J799IjSqtteL5N9kBF2

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 54 IoCs

resource	yara_rule
behavioral2/memory/2848-47-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-68-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-71-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-75-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-70-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-69-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-74-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-100-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-98-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-119-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-118-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-117-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-116-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-114-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-113-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-111-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-110-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-106-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-105-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-97-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-96-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-120-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-94-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-92-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-115-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-91-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-90-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-112-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-89-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-88-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-109-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-87-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-108-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-107-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-86-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-85-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-104-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-84-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-103-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-102-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-83-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-101-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-99-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-82-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-95-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-93-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-81-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-80-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-79-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-78-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-77-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-76-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-73-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2848-72-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2848	brightness.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5472	2848	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brightness.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5012	WINWORD.EXE
5012	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5012	WINWORD.EXE
5012	WINWORD.EXE
5012	WINWORD.EXE
5012	WINWORD.EXE
5012	WINWORD.EXE
5012	WINWORD.EXE
5012	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 2848	5012	WINWORD.EXE	86
PID 5012 wrote to memory of 2848	5012	WINWORD.EXE	86
PID 5012 wrote to memory of 2848	5012	WINWORD.EXE	86

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\94519fee9d47fd0262d1dd50e0bf20ea7cb0962b3a1e1de217c5f462b0633fab.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Users\Admin\AppData\Local\Temp\brightness.exe
  C:\Users\Admin\AppData\Local\Temp\brightness.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 1360
    3⤵
    - Program crash
    PID:5472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2848 -ip 2848
1⤵
PID:5444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\brightness.exe

Filesize
834KB

MD5
c765af11517bdd9f600ad988c5107249

SHA1
85d787e012a4f5d50dfca08571634c6f1c82aeb5

SHA256
ce26bc4556fabe4a47c885353f169def4913c3b1f3f72af47f61952f07e26068

SHA512
562cd97ac800e36348a1df041338d086522248c65a30725720e2ec6a6c7d5a386f0b17da7b01922aaeff6000924c118889fc576378b7d09eef1ebb86858c257e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2848-107-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-47-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-647-0x00007FFE18750000-0x00007FFE18945000-memory.dmp

Filesize
2.0MB

Download
memory/2848-72-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-73-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-76-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-77-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-78-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-79-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-80-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-81-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-93-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-95-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-82-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-99-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-101-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-83-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-102-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-103-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-84-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-104-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-85-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-44-0x00007FFE18750000-0x00007FFE18945000-memory.dmp

Filesize
2.0MB

Download
memory/2848-45-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-116-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-86-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-108-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-87-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-109-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-88-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-89-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-112-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-65-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2848-66-0x00007FFE18750000-0x00007FFE18945000-memory.dmp

Filesize
2.0MB

Download
memory/2848-68-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-71-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-75-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-70-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-117-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-114-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-100-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-98-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-119-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-118-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-69-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-90-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-74-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-113-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-111-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-110-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-106-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-105-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-97-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-96-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-120-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-94-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-92-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-115-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2848-91-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/5012-6-0x00007FFE18750000-0x00007FFE18945000-memory.dmp

Filesize
2.0MB

Download
memory/5012-58-0x00007FFE18750000-0x00007FFE18945000-memory.dmp

Filesize
2.0MB

Download
memory/5012-4-0x00007FFDD87D0000-0x00007FFDD87E0000-memory.dmp

Filesize
64KB

Download
memory/5012-57-0x00007FFE18750000-0x00007FFE18945000-memory.dmp

Filesize
2.0MB

Download
memory/5012-55-0x00007FFE187ED000-0x00007FFE187EE000-memory.dmp

Filesize
4KB

Download
memory/5012-56-0x00007FFE18750000-0x00007FFE18945000-memory.dmp

Filesize
2.0MB

Download
memory/5012-3-0x00007FFDD87D0000-0x00007FFDD87E0000-memory.dmp

Filesize
64KB

Download
memory/5012-0-0x00007FFE187ED000-0x00007FFE187EE000-memory.dmp

Filesize
4KB

Download
memory/5012-48-0x00007FFE18750000-0x00007FFE18945000-memory.dmp

Filesize
2.0MB

Download
memory/5012-1-0x00007FFDD87D0000-0x00007FFDD87E0000-memory.dmp

Filesize
64KB

Download
memory/5012-40-0x00007FFE18750000-0x00007FFE18945000-memory.dmp

Filesize
2.0MB

Download
memory/5012-34-0x00007FFE18750000-0x00007FFE18945000-memory.dmp

Filesize
2.0MB

Download
memory/5012-33-0x00007FFE18750000-0x00007FFE18945000-memory.dmp

Filesize
2.0MB

Download
memory/5012-64-0x00007FFE18750000-0x00007FFE18945000-memory.dmp

Filesize
2.0MB

Download
memory/5012-8-0x00007FFE18750000-0x00007FFE18945000-memory.dmp

Filesize
2.0MB

Download
memory/5012-7-0x00007FFDD87D0000-0x00007FFDD87E0000-memory.dmp

Filesize
64KB

Download
memory/5012-10-0x00007FFE18750000-0x00007FFE18945000-memory.dmp

Filesize
2.0MB

Download
memory/5012-18-0x00007FFE18750000-0x00007FFE18945000-memory.dmp

Filesize
2.0MB

Download
memory/5012-19-0x00007FFE18750000-0x00007FFE18945000-memory.dmp

Filesize
2.0MB

Download
memory/5012-20-0x00007FFE18750000-0x00007FFE18945000-memory.dmp

Filesize
2.0MB

Download
memory/5012-17-0x00007FFDD5E70000-0x00007FFDD5E80000-memory.dmp

Filesize
64KB

Download
memory/5012-16-0x00007FFE18750000-0x00007FFE18945000-memory.dmp

Filesize
2.0MB

Download
memory/5012-15-0x00007FFE18750000-0x00007FFE18945000-memory.dmp

Filesize
2.0MB

Download
memory/5012-14-0x00007FFDD5E70000-0x00007FFDD5E80000-memory.dmp

Filesize
64KB

Download
memory/5012-12-0x00007FFE18750000-0x00007FFE18945000-memory.dmp

Filesize
2.0MB

Download
memory/5012-13-0x00007FFE18750000-0x00007FFE18945000-memory.dmp

Filesize
2.0MB

Download
memory/5012-11-0x00007FFE18750000-0x00007FFE18945000-memory.dmp

Filesize
2.0MB

Download
memory/5012-5-0x00007FFE18750000-0x00007FFE18945000-memory.dmp

Filesize
2.0MB

Download
memory/5012-2-0x00007FFDD87D0000-0x00007FFDD87E0000-memory.dmp

Filesize
64KB

Download
memory/5012-9-0x00007FFE18750000-0x00007FFE18945000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads