Malware Analysis Report

2025-08-05 14:32

Sample ID 240203-2d9m4abdh8
Target 8d83768b151d2efde1fc4692e39b4a41
SHA256 40a3268a8ea94299a2135fc021fe25b907694463c9380fbfbc6c7e834aa6294b
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

40a3268a8ea94299a2135fc021fe25b907694463c9380fbfbc6c7e834aa6294b

Threat Level: Known bad

The file 8d83768b151d2efde1fc4692e39b4a41 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Deletes itself

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-03 22:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-03 22:29

Reported

2024-02-03 22:31

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d83768b151d2efde1fc4692e39b4a41.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Indxiwg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Indxiwg.exe C:\Users\Admin\AppData\Local\Temp\8d83768b151d2efde1fc4692e39b4a41.exe N/A
File opened for modification C:\Windows\SysWOW64\Indxiwg.exe C:\Users\Admin\AppData\Local\Temp\8d83768b151d2efde1fc4692e39b4a41.exe N/A
File opened for modification C:\Windows\SysWOW64\Indxiwg.exe C:\Windows\SysWOW64\Indxiwg.exe N/A
File created C:\Windows\SysWOW64\Deleteme.bat C:\Users\Admin\AppData\Local\Temp\8d83768b151d2efde1fc4692e39b4a41.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8d83768b151d2efde1fc4692e39b4a41.exe

"C:\Users\Admin\AppData\Local\Temp\8d83768b151d2efde1fc4692e39b4a41.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3592 -ip 3592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 324

C:\Windows\SysWOW64\Indxiwg.exe

C:\Windows\system32\Indxiwg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4476 -ip 4476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 324

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

memory/3592-0-0x0000000000400000-0x000000000056D000-memory.dmp

memory/3592-1-0x0000000000A30000-0x0000000000A84000-memory.dmp

memory/3592-2-0x0000000002440000-0x0000000002441000-memory.dmp

memory/3592-5-0x0000000002400000-0x0000000002401000-memory.dmp

memory/3592-3-0x0000000002420000-0x0000000002421000-memory.dmp

memory/3592-14-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/3592-13-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/3592-12-0x00000000033E0000-0x00000000033E1000-memory.dmp

memory/3592-11-0x00000000033F0000-0x00000000033F1000-memory.dmp

memory/3592-10-0x0000000002410000-0x0000000002411000-memory.dmp

memory/3592-9-0x0000000002490000-0x0000000002491000-memory.dmp

memory/3592-8-0x0000000002450000-0x0000000002451000-memory.dmp

memory/3592-7-0x0000000002470000-0x0000000002471000-memory.dmp

memory/3592-15-0x0000000002550000-0x0000000002551000-memory.dmp

memory/3592-6-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/3592-4-0x0000000002480000-0x0000000002481000-memory.dmp

memory/3592-18-0x0000000002600000-0x0000000002601000-memory.dmp

C:\Windows\SysWOW64\Indxiwg.exe

MD5 8d83768b151d2efde1fc4692e39b4a41
SHA1 0b628b91474e43b17fa32ddb0a489b0050c8c730
SHA256 40a3268a8ea94299a2135fc021fe25b907694463c9380fbfbc6c7e834aa6294b
SHA512 8bc1bf8067409172668639a6587164f0af2beed9254b647b96627dba5f2817f2134fccd2682d13949ba415922074ff8b1ad1c760617579db010562c69d5b498b

memory/4476-22-0x0000000000400000-0x000000000056D000-memory.dmp

memory/4476-23-0x0000000000A80000-0x0000000000AD4000-memory.dmp

memory/3592-27-0x0000000000400000-0x000000000056D000-memory.dmp

memory/4476-24-0x0000000000400000-0x000000000056D000-memory.dmp

memory/3592-31-0x0000000000A30000-0x0000000000A84000-memory.dmp

memory/4476-29-0x0000000000A80000-0x0000000000AD4000-memory.dmp

memory/3592-28-0x0000000000400000-0x000000000056D000-memory.dmp

memory/4476-30-0x0000000002600000-0x0000000002601000-memory.dmp

C:\Windows\SysWOW64\Deleteme.bat

MD5 76548ddbf2a885b58278b53bb642c3e2
SHA1 92fc8f271f6c18835a75b54510bba05dddb49cd6
SHA256 092b5bffbb0210d17ba551a0aa234f264e4b72842e5e97bd55e33e6e141f5b7c
SHA512 40820c5e2f9016fccd37832e4ee4f47fa55eead773624af548d8ddd7d0bea9cc006aa7ccb6723c4beb456c25585e58bf4b0af1a8319474f5ddbfe1f42729dbe0

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-03 22:29

Reported

2024-02-03 22:31

Platform

win7-20231215-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d83768b151d2efde1fc4692e39b4a41.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Indxiwg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Indxiwg.exe C:\Users\Admin\AppData\Local\Temp\8d83768b151d2efde1fc4692e39b4a41.exe N/A
File opened for modification C:\Windows\SysWOW64\Indxiwg.exe C:\Users\Admin\AppData\Local\Temp\8d83768b151d2efde1fc4692e39b4a41.exe N/A
File opened for modification C:\Windows\SysWOW64\Indxiwg.exe C:\Windows\SysWOW64\Indxiwg.exe N/A
File created C:\Windows\SysWOW64\Deleteme.bat C:\Users\Admin\AppData\Local\Temp\8d83768b151d2efde1fc4692e39b4a41.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8d83768b151d2efde1fc4692e39b4a41.exe

"C:\Users\Admin\AppData\Local\Temp\8d83768b151d2efde1fc4692e39b4a41.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows\system32\Deleteme.bat

C:\Windows\SysWOW64\Indxiwg.exe

C:\Windows\system32\Indxiwg.exe

Network

N/A

Files

memory/2372-0-0x0000000000400000-0x000000000056D000-memory.dmp

memory/2372-1-0x0000000000280000-0x00000000002D4000-memory.dmp

memory/2372-9-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2372-8-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/2372-12-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-7-0x00000000005A0000-0x00000000005A1000-memory.dmp

memory/2372-13-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-6-0x00000000005B0000-0x00000000005B1000-memory.dmp

memory/2372-5-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2372-14-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-4-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2372-3-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/2372-16-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-15-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-17-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-24-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-27-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-31-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-38-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-43-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-44-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-46-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-45-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-42-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-57-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-61-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-62-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-65-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-64-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-63-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-60-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-59-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-58-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-56-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-55-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-54-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-53-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-52-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-51-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-50-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-49-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-48-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-47-0x0000000003280000-0x0000000003380000-memory.dmp

\Windows\SysWOW64\Indxiwg.exe

MD5 bd99b69ba8724cb226ac3dbf45a7d9cf
SHA1 005cafa03a5ab7c643f0c8f9fbb8c2cdfa69e7d7
SHA256 1728a0c1ae715633f9897f141693ea434b2707558815b340c2635a5d6aae90aa
SHA512 a1cca13157d95920db3f33206697e1f75e7b1fb4a3a2192a2884e71a94ef02c518ed1e6d63926b8636d45f627018f9ac334bb09f86c026e42f554ba89100423b

C:\Windows\SysWOW64\Deleteme.bat

MD5 76548ddbf2a885b58278b53bb642c3e2
SHA1 92fc8f271f6c18835a75b54510bba05dddb49cd6
SHA256 092b5bffbb0210d17ba551a0aa234f264e4b72842e5e97bd55e33e6e141f5b7c
SHA512 40820c5e2f9016fccd37832e4ee4f47fa55eead773624af548d8ddd7d0bea9cc006aa7ccb6723c4beb456c25585e58bf4b0af1a8319474f5ddbfe1f42729dbe0

memory/2372-97-0x0000000000400000-0x000000000056D000-memory.dmp

memory/2492-89-0x0000000000400000-0x000000000056D000-memory.dmp

C:\Windows\SysWOW64\Indxiwg.exe

MD5 3260fe7e4ec7774e2e7f463595fd2fb0
SHA1 f5d496f9bb2852e835b68cc371a0de9bd4a7c678
SHA256 defbb067dad94cc0b2d17d4c984d8cc89eb6daeeb124f4d3573f8c7524745ec7
SHA512 f3b87a26cbe44df551c40289b27d06d15b2a3a2561aeb36e87d3fcf9f93b69474a2f6950080fae5837f19495f95daa42d93e13092f6d8ecead9bc3ca28a893eb

C:\Windows\SysWOW64\Indxiwg.exe

MD5 877b95a76cdeae4d04b7985bc2cc68e6
SHA1 4a66c330a47dce3fcc16bb7ec3ed8a7372bb4b65
SHA256 e3d5e614880e25d4d3e418759f0d7524adbbda836748c7416d05796c57cc14d7
SHA512 60c4aaf84615aeaec832a7df314a71818a3dca449c22c3ad6e8b6e4bbc16822e3738443765f5f653de32eafe0f58129c7d36a0c8410d8620ee25a8916d58a90a

C:\Windows\SysWOW64\Indxiwg.exe

MD5 67b69e93a7b3aa33a74afbbf52dbf61f
SHA1 ce48b01e35245f992a41fd9edc2384a159ddfe71
SHA256 b6db83a0eef8a818af352d62d68004aeb954a1e84c92e625194316e7a6cc3174
SHA512 8d299bdc6e6715696a845c70536b52103e07a5abb4589a4c9ab445e8986fb2c714c06e5036308e323deb28a365c095e0c63683322b8b45f4dd2d4c2eaeedd13e

\Windows\SysWOW64\Indxiwg.exe

MD5 b0625ddf9b8185708a9f883c36d97ef3
SHA1 0d0296e441a6ef9818b6661cbff108c0ec3d2e12
SHA256 065ba6ba92ced1029dd72881565fbcfcd6256b52aaea77a4848ba08b2c01ea75
SHA512 c520e9d09ef5eb178cfecd48a1ada1b30ef922fbe872f6bfb7da799629ca49a7de4074f64d059856752af15bb466c56c1a1fc23ecf7014801b5bef1e31795680

memory/2372-41-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-40-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-39-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-37-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-36-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-35-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-34-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-33-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-32-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-30-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-29-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-28-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-26-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-25-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-23-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-22-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-21-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-20-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-19-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-18-0x0000000003280000-0x0000000003380000-memory.dmp

memory/2372-2-0x0000000000570000-0x0000000000571000-memory.dmp