Malware Analysis Report

2025-08-05 14:31

Sample ID 240203-sdgsmsedfm
Target 8ca028d6a26153dfdcb0f67b66159ac9
SHA256 be31185fc80afb305d668d523e70858d26f78ccf1175da83cc465eb949f8523a
Tags
upx modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be31185fc80afb305d668d523e70858d26f78ccf1175da83cc465eb949f8523a

Threat Level: Known bad

The file 8ca028d6a26153dfdcb0f67b66159ac9 was found to be: Known bad.

Malicious Activity Summary

upx modiloader trojan

ModiLoader Second Stage

ModiLoader, DBatLoader

Modiloader family

ModiLoader Second Stage

Deletes itself

UPX packed file

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-03 15:00

Signatures

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-03 15:00

Reported

2024-02-03 15:03

Platform

win7-20231215-en

Max time kernel

143s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\_rejoice101.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe N/A
File opened for modification C:\Windows\SysWOW64\_rejoice101.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2628 set thread context of 2780 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe C:\Windows\SysWOW64\calc.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2416 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe
PID 2416 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe
PID 2416 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe
PID 2416 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe
PID 2628 wrote to memory of 2780 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe C:\Windows\SysWOW64\calc.exe
PID 2628 wrote to memory of 2780 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe C:\Windows\SysWOW64\calc.exe
PID 2628 wrote to memory of 2780 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe C:\Windows\SysWOW64\calc.exe
PID 2628 wrote to memory of 2780 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe C:\Windows\SysWOW64\calc.exe
PID 2628 wrote to memory of 2780 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe C:\Windows\SysWOW64\calc.exe
PID 2628 wrote to memory of 2780 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe C:\Windows\SysWOW64\calc.exe
PID 2628 wrote to memory of 2660 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe C:\Windows\SysWOW64\WerFault.exe
PID 2628 wrote to memory of 2660 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe C:\Windows\SysWOW64\WerFault.exe
PID 2628 wrote to memory of 2660 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe C:\Windows\SysWOW64\WerFault.exe
PID 2628 wrote to memory of 2660 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe C:\Windows\SysWOW64\WerFault.exe
PID 2416 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe

"C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe"

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 300

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat""

Network

N/A

Files

memory/2416-0-0x0000000000400000-0x00000000004C5000-memory.dmp

memory/2416-1-0x0000000000300000-0x0000000000301000-memory.dmp

\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice101.exe

MD5 8ca028d6a26153dfdcb0f67b66159ac9
SHA1 5362f1c2d6d3935fa505f4b1a57987abccd1cd3d
SHA256 be31185fc80afb305d668d523e70858d26f78ccf1175da83cc465eb949f8523a
SHA512 2d73cb95b92a25da8c15cabe5833129a077b6fed804d54616c1880b5a319058725208768ccafa7f2efe68f8bf99a53269089cb0b58079b98b79b0438b331475b

memory/2416-10-0x0000000002B80000-0x0000000002C45000-memory.dmp

memory/2416-12-0x0000000002B80000-0x0000000002C45000-memory.dmp

memory/2628-17-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2628-13-0x0000000000400000-0x00000000004C5000-memory.dmp

memory/2780-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2780-22-0x0000000000400000-0x00000000004C5000-memory.dmp

memory/2780-24-0x0000000000DD0000-0x0000000000DD0000-memory.dmp

memory/2416-28-0x0000000000400000-0x00000000004C5000-memory.dmp

memory/2628-29-0x0000000000400000-0x00000000004C5000-memory.dmp

memory/2416-30-0x0000000000300000-0x0000000000301000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSInfo\SgotoDel.bat

MD5 77ced2405e345f9cff39459401cb8406
SHA1 746565c2db29e17a1f38923467646c9acdd396e4
SHA256 a0c91442c2b7e8c2fde1b881c056c4006d3ac7437ac135a68b92c9830022d87a
SHA512 6bfd800d6970e7cd2f10277aa3da01681632d52e1a79f839f6dfa6fd9bd45e7c77a661cfc1663d1d2426445e3b5373eb89968100bf2b5a3607cc2172a9cfebe6

memory/2416-41-0x0000000000400000-0x00000000004C5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-03 15:00

Reported

2024-02-03 15:03

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\_rejoice101.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe N/A
File opened for modification C:\Windows\SysWOW64\_rejoice101.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 740 set thread context of 2268 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe C:\Windows\SysWOW64\calc.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\calc.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1452 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe
PID 1452 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe
PID 1452 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe
PID 740 wrote to memory of 2268 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe C:\Windows\SysWOW64\calc.exe
PID 740 wrote to memory of 2268 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe C:\Windows\SysWOW64\calc.exe
PID 740 wrote to memory of 2268 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe C:\Windows\SysWOW64\calc.exe
PID 740 wrote to memory of 2268 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe C:\Windows\SysWOW64\calc.exe
PID 740 wrote to memory of 2268 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe C:\Windows\SysWOW64\calc.exe
PID 740 wrote to memory of 2064 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 740 wrote to memory of 2064 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 1452 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe C:\Windows\SysWOW64\cmd.exe
PID 1452 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe C:\Windows\SysWOW64\cmd.exe
PID 1452 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe

"C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe"

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2268 -ip 2268

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat""

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 12

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/1452-0-0x0000000000400000-0x00000000004C5000-memory.dmp

memory/1452-3-0x0000000002480000-0x0000000002481000-memory.dmp

C:\Program Files\Common Files\microsoft shared\MSInfo\rejoice101.exe

MD5 8ca028d6a26153dfdcb0f67b66159ac9
SHA1 5362f1c2d6d3935fa505f4b1a57987abccd1cd3d
SHA256 be31185fc80afb305d668d523e70858d26f78ccf1175da83cc465eb949f8523a
SHA512 2d73cb95b92a25da8c15cabe5833129a077b6fed804d54616c1880b5a319058725208768ccafa7f2efe68f8bf99a53269089cb0b58079b98b79b0438b331475b

memory/740-7-0x0000000000680000-0x0000000000681000-memory.dmp

memory/2268-10-0x0000000000400000-0x00000000004C5000-memory.dmp

memory/740-14-0x0000000000400000-0x00000000004C5000-memory.dmp

memory/1452-15-0x0000000000400000-0x00000000004C5000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat

MD5 77ced2405e345f9cff39459401cb8406
SHA1 746565c2db29e17a1f38923467646c9acdd396e4
SHA256 a0c91442c2b7e8c2fde1b881c056c4006d3ac7437ac135a68b92c9830022d87a
SHA512 6bfd800d6970e7cd2f10277aa3da01681632d52e1a79f839f6dfa6fd9bd45e7c77a661cfc1663d1d2426445e3b5373eb89968100bf2b5a3607cc2172a9cfebe6

memory/2268-17-0x0000000000E90000-0x0000000000E90000-memory.dmp