Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 05:22
Behavioral task
behavioral1
Sample
71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe
Resource
win10v2004-20240226-en
General
-
Target
71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe
-
Size
326KB
-
MD5
71523d4ed0a8d827f80c6d2e9ec825e0
-
SHA1
7b5d36ad61933ea1ecf0314879d54994c5075a41
-
SHA256
28f1e799b00bed99d9777b6d48e7f20c9d2dd9386869ecea13ab68633600abfa
-
SHA512
10f9834ecc6ae105ab5f9cc3a30960b7cabc6b68760c3ed3f1134df0329d4b7e4737b1400f56394ad162155055a08c07010a307e72d6a78e8fa3a6bf248b780b
-
SSDEEP
3072:Ie2A0wxDqUpM5scww4chO+O1BmP5DG0sg3i4XZ9WvDZHwdRX/L+gP38XV:IsxD5cwohO+O1sVG0/pZ6iPC8
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2848-259-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 -
Executes dropped EXE 3 IoCs
Processes:
csrsll.execsrsll.execsrsll.exepid process 1476 csrsll.exe 2256 csrsll.exe 2848 csrsll.exe -
Loads dropped DLL 5 IoCs
Processes:
71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exepid process 2408 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe 2408 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe 2408 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe 2408 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe 2408 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe -
Processes:
resource yara_rule behavioral1/memory/2804-0-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral1/memory/2804-87-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral1/memory/2804-82-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral1/memory/2804-81-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral1/memory/2804-106-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral1/memory/2408-105-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2408-104-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2804-103-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral1/memory/2408-102-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2408-100-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2408-96-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2408-94-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2804-78-0x0000000000400000-0x0000000000454000-memory.dmp upx C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe upx behavioral1/memory/2408-145-0x0000000002D50000-0x0000000002DA4000-memory.dmp upx behavioral1/memory/2408-151-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1476-209-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral1/memory/2408-249-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2848-248-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral1/memory/1476-243-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral1/memory/2256-258-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2848-259-0x0000000000400000-0x0000000000414000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win Pdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrsll.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.execsrsll.exedescription pid process target process PID 2804 set thread context of 2408 2804 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe PID 1476 set thread context of 2256 1476 csrsll.exe csrsll.exe PID 1476 set thread context of 2848 1476 csrsll.exe csrsll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
csrsll.exedescription pid process Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe Token: SeDebugPrivilege 2256 csrsll.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.execsrsll.execsrsll.exepid process 2804 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe 2408 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe 1476 csrsll.exe 2256 csrsll.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.execmd.execsrsll.exedescription pid process target process PID 2804 wrote to memory of 2408 2804 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe PID 2804 wrote to memory of 2408 2804 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe PID 2804 wrote to memory of 2408 2804 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe PID 2804 wrote to memory of 2408 2804 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe PID 2804 wrote to memory of 2408 2804 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe PID 2804 wrote to memory of 2408 2804 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe PID 2804 wrote to memory of 2408 2804 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe PID 2804 wrote to memory of 2408 2804 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe PID 2408 wrote to memory of 1320 2408 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe cmd.exe PID 2408 wrote to memory of 1320 2408 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe cmd.exe PID 2408 wrote to memory of 1320 2408 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe cmd.exe PID 2408 wrote to memory of 1320 2408 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe cmd.exe PID 1320 wrote to memory of 1424 1320 cmd.exe reg.exe PID 1320 wrote to memory of 1424 1320 cmd.exe reg.exe PID 1320 wrote to memory of 1424 1320 cmd.exe reg.exe PID 1320 wrote to memory of 1424 1320 cmd.exe reg.exe PID 2408 wrote to memory of 1476 2408 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe csrsll.exe PID 2408 wrote to memory of 1476 2408 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe csrsll.exe PID 2408 wrote to memory of 1476 2408 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe csrsll.exe PID 2408 wrote to memory of 1476 2408 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe csrsll.exe PID 1476 wrote to memory of 2256 1476 csrsll.exe csrsll.exe PID 1476 wrote to memory of 2256 1476 csrsll.exe csrsll.exe PID 1476 wrote to memory of 2256 1476 csrsll.exe csrsll.exe PID 1476 wrote to memory of 2256 1476 csrsll.exe csrsll.exe PID 1476 wrote to memory of 2256 1476 csrsll.exe csrsll.exe PID 1476 wrote to memory of 2256 1476 csrsll.exe csrsll.exe PID 1476 wrote to memory of 2256 1476 csrsll.exe csrsll.exe PID 1476 wrote to memory of 2256 1476 csrsll.exe csrsll.exe PID 1476 wrote to memory of 2848 1476 csrsll.exe csrsll.exe PID 1476 wrote to memory of 2848 1476 csrsll.exe csrsll.exe PID 1476 wrote to memory of 2848 1476 csrsll.exe csrsll.exe PID 1476 wrote to memory of 2848 1476 csrsll.exe csrsll.exe PID 1476 wrote to memory of 2848 1476 csrsll.exe csrsll.exe PID 1476 wrote to memory of 2848 1476 csrsll.exe csrsll.exe PID 1476 wrote to memory of 2848 1476 csrsll.exe csrsll.exe PID 1476 wrote to memory of 2848 1476 csrsll.exe csrsll.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\EDRHU.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f4⤵
- Adds Run key to start application
PID:1424 -
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2256 -
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"4⤵
- Executes dropped EXE
PID:2848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145B
MD54eb61ec7816c34ec8c125acadc57ec1b
SHA1b0015cc865c0bb1a027be663027d3829401a31cc
SHA25608375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff
SHA512f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1
-
Filesize
326KB
MD5ceab66967b8dd47b31ce516f1768fa74
SHA1e552e8aca681cc9e74e85f0cb203f674c2787d7a
SHA2563f39cb2f31f92e5c60d6bbad8b43fb5fb277b04d07d832d744c36db4e1dcaa1d
SHA51231abf0d06efbca7e079a16593c8a0fa2ac3438bb0fe3b526ee94e0ecab1eb3fe86f6aeb7ada42459b2b89fd4e6685f8174d6eef4656d513384186cf854c3ccba