Malware Analysis Report

2025-08-05 14:32

Sample ID 240203-141bnsdefm
Target 8d7b89b7d47ebb2fbb7b5389305ce8b8
SHA256 6cc38a350d313916a19f09b2163dbae59fcbc58ad50b534fd9809c69e400f5e3
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6cc38a350d313916a19f09b2163dbae59fcbc58ad50b534fd9809c69e400f5e3

Threat Level: Known bad

The file 8d7b89b7d47ebb2fbb7b5389305ce8b8 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Deletes itself

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-03 22:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-03 22:12

Reported

2024-02-03 22:15

Platform

win7-20231215-en

Max time kernel

143s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d7b89b7d47ebb2fbb7b5389305ce8b8.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\_rejoice813.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe N/A
File opened for modification C:\Windows\SysWOW64\_rejoice813.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2004 set thread context of 2884 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Users\Admin\AppData\Local\Temp\8d7b89b7d47ebb2fbb7b5389305ce8b8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat C:\Users\Admin\AppData\Local\Temp\8d7b89b7d47ebb2fbb7b5389305ce8b8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Users\Admin\AppData\Local\Temp\8d7b89b7d47ebb2fbb7b5389305ce8b8.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2152 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\8d7b89b7d47ebb2fbb7b5389305ce8b8.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe
PID 2152 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\8d7b89b7d47ebb2fbb7b5389305ce8b8.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe
PID 2152 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\8d7b89b7d47ebb2fbb7b5389305ce8b8.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe
PID 2152 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\8d7b89b7d47ebb2fbb7b5389305ce8b8.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe
PID 2004 wrote to memory of 2884 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2004 wrote to memory of 2884 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2004 wrote to memory of 2884 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2004 wrote to memory of 2884 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2004 wrote to memory of 2884 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2004 wrote to memory of 2884 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2004 wrote to memory of 2944 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\WerFault.exe
PID 2004 wrote to memory of 2944 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\WerFault.exe
PID 2004 wrote to memory of 2944 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\WerFault.exe
PID 2004 wrote to memory of 2944 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\WerFault.exe
PID 2152 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\8d7b89b7d47ebb2fbb7b5389305ce8b8.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\8d7b89b7d47ebb2fbb7b5389305ce8b8.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\8d7b89b7d47ebb2fbb7b5389305ce8b8.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\8d7b89b7d47ebb2fbb7b5389305ce8b8.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8d7b89b7d47ebb2fbb7b5389305ce8b8.exe

"C:\Users\Admin\AppData\Local\Temp\8d7b89b7d47ebb2fbb7b5389305ce8b8.exe"

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 320

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""

Network

N/A

Files

memory/2152-0-0x0000000000400000-0x0000000000572000-memory.dmp

memory/2152-1-0x0000000000320000-0x0000000000374000-memory.dmp

memory/2152-2-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

memory/2152-10-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

memory/2152-9-0x0000000002030000-0x0000000002031000-memory.dmp

memory/2152-8-0x0000000002000000-0x0000000002001000-memory.dmp

memory/2152-7-0x0000000002010000-0x0000000002011000-memory.dmp

memory/2152-6-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

memory/2152-5-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

memory/2152-4-0x0000000002020000-0x0000000002021000-memory.dmp

memory/2152-3-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

memory/2152-11-0x0000000002400000-0x0000000002401000-memory.dmp

\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice813.exe

MD5 8d7b89b7d47ebb2fbb7b5389305ce8b8
SHA1 2f92d8cdacfbc5203f9dff10d9354f45ab5bf22e
SHA256 6cc38a350d313916a19f09b2163dbae59fcbc58ad50b534fd9809c69e400f5e3
SHA512 13655c623db30b7cde28ab81a5ed75821667344f96818931a9a40699a51b697a68261ebc66dc10f640cc7d27181687759246a70c09e2183db521c203640abf77

memory/2004-22-0x0000000000400000-0x0000000000572000-memory.dmp

memory/2152-21-0x0000000004030000-0x00000000041A2000-memory.dmp

memory/2004-23-0x0000000000300000-0x0000000000354000-memory.dmp

memory/2004-28-0x0000000003290000-0x0000000003291000-memory.dmp

memory/2884-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2884-33-0x0000000000400000-0x0000000000572000-memory.dmp

memory/2004-34-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

memory/2004-30-0x00000000005F0000-0x00000000005F2000-memory.dmp

memory/2884-36-0x0000000000400000-0x0000000000572000-memory.dmp

memory/2004-29-0x00000000003C0000-0x00000000003C2000-memory.dmp

memory/2004-27-0x00000000032A0000-0x00000000032A1000-memory.dmp

memory/2884-38-0x0000000000E50000-0x0000000000E50000-memory.dmp

memory/2152-42-0x0000000000400000-0x0000000000572000-memory.dmp

memory/2004-44-0x0000000000400000-0x0000000000572000-memory.dmp

memory/2152-45-0x0000000000320000-0x0000000000374000-memory.dmp

memory/2152-47-0x0000000002400000-0x0000000002401000-memory.dmp

memory/2004-48-0x0000000000300000-0x0000000000354000-memory.dmp

memory/2004-50-0x00000000032A0000-0x00000000032A1000-memory.dmp

memory/2004-51-0x0000000003290000-0x0000000003291000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSInfo\Delet.bat

MD5 23e0114e054a29647a8cd87a0392ec84
SHA1 427082482ed3b88b8e0d4a61f93eb459419b4073
SHA256 549ba097d22fc041de2f767d7c802b528b349f1c0346a5c644349c0512a80dfa
SHA512 17146399f5a7ee5ce42a29840d35be61f7b78ec247e3848559a0908b9293da8006355df16740887c6bbbae4e58a6c6522a3336234748ab9e52eeb80cd7dabd02

memory/2152-60-0x0000000000400000-0x0000000000572000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-03 22:12

Reported

2024-02-03 22:15

Platform

win10v2004-20231222-en

Max time kernel

92s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d7b89b7d47ebb2fbb7b5389305ce8b8.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\_rejoice813.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe N/A
File opened for modification C:\Windows\SysWOW64\_rejoice813.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2080 set thread context of 2072 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Users\Admin\AppData\Local\Temp\8d7b89b7d47ebb2fbb7b5389305ce8b8.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Users\Admin\AppData\Local\Temp\8d7b89b7d47ebb2fbb7b5389305ce8b8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat C:\Users\Admin\AppData\Local\Temp\8d7b89b7d47ebb2fbb7b5389305ce8b8.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4580 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\8d7b89b7d47ebb2fbb7b5389305ce8b8.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe
PID 4580 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\8d7b89b7d47ebb2fbb7b5389305ce8b8.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe
PID 4580 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\8d7b89b7d47ebb2fbb7b5389305ce8b8.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe
PID 2080 wrote to memory of 2072 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2080 wrote to memory of 2072 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2080 wrote to memory of 2072 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2080 wrote to memory of 2072 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2080 wrote to memory of 2072 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\Windows\SysWOW64\calc.exe
PID 2080 wrote to memory of 1356 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 2080 wrote to memory of 1356 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 4580 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\8d7b89b7d47ebb2fbb7b5389305ce8b8.exe C:\Windows\SysWOW64\cmd.exe
PID 4580 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\8d7b89b7d47ebb2fbb7b5389305ce8b8.exe C:\Windows\SysWOW64\cmd.exe
PID 4580 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\8d7b89b7d47ebb2fbb7b5389305ce8b8.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8d7b89b7d47ebb2fbb7b5389305ce8b8.exe

"C:\Users\Admin\AppData\Local\Temp\8d7b89b7d47ebb2fbb7b5389305ce8b8.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4580 -ip 4580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 324

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice813.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2080 -ip 2080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2072 -ip 2072

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2080 -ip 2080

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 688

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""

Network

Country Destination Domain Proto
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp

Files

memory/4580-0-0x0000000000400000-0x0000000000572000-memory.dmp

memory/4580-1-0x0000000000B90000-0x0000000000BE4000-memory.dmp

memory/4580-2-0x00000000025A0000-0x00000000025A1000-memory.dmp

memory/4580-3-0x0000000002580000-0x0000000002581000-memory.dmp

memory/4580-4-0x00000000025D0000-0x00000000025D1000-memory.dmp

memory/4580-5-0x0000000002550000-0x0000000002551000-memory.dmp

memory/4580-6-0x0000000002540000-0x0000000002541000-memory.dmp

memory/4580-7-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/4580-8-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/4580-9-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/4580-10-0x0000000002570000-0x0000000002571000-memory.dmp

memory/4580-11-0x0000000003540000-0x0000000003541000-memory.dmp

memory/4580-12-0x0000000003530000-0x0000000003531000-memory.dmp

memory/4580-13-0x0000000002530000-0x0000000002531000-memory.dmp

memory/4580-14-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/4580-17-0x0000000003640000-0x0000000003641000-memory.dmp

C:\Program Files\Common Files\microsoft shared\MSInfo\rejoice813.exe

MD5 8d7b89b7d47ebb2fbb7b5389305ce8b8
SHA1 2f92d8cdacfbc5203f9dff10d9354f45ab5bf22e
SHA256 6cc38a350d313916a19f09b2163dbae59fcbc58ad50b534fd9809c69e400f5e3
SHA512 13655c623db30b7cde28ab81a5ed75821667344f96818931a9a40699a51b697a68261ebc66dc10f640cc7d27181687759246a70c09e2183db521c203640abf77

memory/2080-21-0x0000000000400000-0x0000000000572000-memory.dmp

memory/2080-22-0x00000000008A0000-0x00000000008F4000-memory.dmp

memory/2080-27-0x0000000003500000-0x0000000003501000-memory.dmp

memory/2072-25-0x0000000000400000-0x0000000000572000-memory.dmp

memory/4580-31-0x0000000000B90000-0x0000000000BE4000-memory.dmp

memory/4580-30-0x0000000000400000-0x0000000000572000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat

MD5 23e0114e054a29647a8cd87a0392ec84
SHA1 427082482ed3b88b8e0d4a61f93eb459419b4073
SHA256 549ba097d22fc041de2f767d7c802b528b349f1c0346a5c644349c0512a80dfa
SHA512 17146399f5a7ee5ce42a29840d35be61f7b78ec247e3848559a0908b9293da8006355df16740887c6bbbae4e58a6c6522a3336234748ab9e52eeb80cd7dabd02

memory/2072-33-0x0000000000D10000-0x0000000000D10000-memory.dmp

memory/2080-34-0x0000000000400000-0x0000000000572000-memory.dmp

memory/2080-35-0x00000000008A0000-0x00000000008F4000-memory.dmp