modiloader | 5c32dd84a20a1c892702433f5cad7c0cf14dcf62df6ce5bc3f6ec3afdbaba178

Analysis

max time kernel
199s
max time network
221s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 21:04

Target

41e90b9cb286e2be25ac95d3e7180e28.exe
Size

420KB
MD5

41e90b9cb286e2be25ac95d3e7180e28
SHA1

4bce3594dd2709a9ca1e1a580b022556794f1f2a
SHA256

5c32dd84a20a1c892702433f5cad7c0cf14dcf62df6ce5bc3f6ec3afdbaba178
SHA512

f5aa04b8903d037d768907698c506a97496f880752671cbd88449f307327a4c9fdbdd46f201e3875bf34aa41a0d496faa10a4d14a1a3083f48e2b43e6b010d9a
SSDEEP

12288:D18E+ESMbk2ZcVxG0qRJopA8ZwYqwTYb4f:v6Ak2Zcu0mJoiZYqwTYb4f

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral2/memory/4276-2-0x0000000000400000-0x00000000004C103E-memory.dmp	modiloader_stage2
behavioral2/memory/1928-15-0x0000000000400000-0x00000000004C103E-memory.dmp	modiloader_stage2
behavioral2/memory/4276-16-0x0000000000400000-0x00000000004C103E-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
1928	rejoice082.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_rejoice082.exe	rejoice082.exe
File opened for modification	C:\Windows\SysWOW64\_rejoice082.exe	rejoice082.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1928 set thread context of 4980	1928	rejoice082.exe	92

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice082.exe	41e90b9cb286e2be25ac95d3e7180e28.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice082.exe	41e90b9cb286e2be25ac95d3e7180e28.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat	41e90b9cb286e2be25ac95d3e7180e28.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1256	4980	WerFault.exe	92

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 1928	4276	41e90b9cb286e2be25ac95d3e7180e28.exe	91
PID 4276 wrote to memory of 1928	4276	41e90b9cb286e2be25ac95d3e7180e28.exe	91
PID 4276 wrote to memory of 1928	4276	41e90b9cb286e2be25ac95d3e7180e28.exe	91
PID 1928 wrote to memory of 4980	1928	rejoice082.exe	92
PID 1928 wrote to memory of 4980	1928	rejoice082.exe	92
PID 1928 wrote to memory of 4980	1928	rejoice082.exe	92
PID 1928 wrote to memory of 4980	1928	rejoice082.exe	92
PID 1928 wrote to memory of 4980	1928	rejoice082.exe	92
PID 1928 wrote to memory of 1672	1928	rejoice082.exe	93
PID 1928 wrote to memory of 1672	1928	rejoice082.exe	93
PID 4276 wrote to memory of 3184	4276	41e90b9cb286e2be25ac95d3e7180e28.exe	95
PID 4276 wrote to memory of 3184	4276	41e90b9cb286e2be25ac95d3e7180e28.exe	95
PID 4276 wrote to memory of 3184	4276	41e90b9cb286e2be25ac95d3e7180e28.exe	95

C:\Users\Admin\AppData\Local\Temp\41e90b9cb286e2be25ac95d3e7180e28.exe
"C:\Users\Admin\AppData\Local\Temp\41e90b9cb286e2be25ac95d3e7180e28.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice082.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice082.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:4980
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 12
      4⤵
      Program crash
      PID:1256
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:1672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat""
  2⤵
  PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4980 -ip 4980
1⤵
PID:980

C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat

Filesize
184B

MD5
cae504e87648e829e68bb5932915fa4f

SHA1
d4dd676c274c1bf98f1b9e42f8a888f24f83104b

SHA256
0e37029ea9b7f3183b36b4a0e9561f8425858670537f7c671ca69400d54a1dd1

SHA512
9197ea4902965ebdc1bd189bd00440da9ed3ddda94df56319b66ebd665a0b91c1006527976d6ba646fac5becf0a7c06e22bd3a1d4e11963aba23eaf1df4dc04d

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\rejoice082.exe

Filesize
420KB

MD5
41e90b9cb286e2be25ac95d3e7180e28

SHA1
4bce3594dd2709a9ca1e1a580b022556794f1f2a

SHA256
5c32dd84a20a1c892702433f5cad7c0cf14dcf62df6ce5bc3f6ec3afdbaba178

SHA512
f5aa04b8903d037d768907698c506a97496f880752671cbd88449f307327a4c9fdbdd46f201e3875bf34aa41a0d496faa10a4d14a1a3083f48e2b43e6b010d9a

Download Submit
memory/1928-15-0x0000000000400000-0x00000000004C103E-memory.dmp

Filesize
772KB

Download
memory/1928-10-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4276-0-0x0000000000400000-0x00000000004C103E-memory.dmp

Filesize
772KB

Download
memory/4276-1-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/4276-2-0x0000000000400000-0x00000000004C103E-memory.dmp

Filesize
772KB

Download
memory/4276-16-0x0000000000400000-0x00000000004C103E-memory.dmp

Filesize
772KB

Download
memory/4980-11-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download