Analysis
-
max time kernel
154s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 05:22
Behavioral task
behavioral1
Sample
71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe
Resource
win10v2004-20240226-en
General
-
Target
71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe
-
Size
326KB
-
MD5
71523d4ed0a8d827f80c6d2e9ec825e0
-
SHA1
7b5d36ad61933ea1ecf0314879d54994c5075a41
-
SHA256
28f1e799b00bed99d9777b6d48e7f20c9d2dd9386869ecea13ab68633600abfa
-
SHA512
10f9834ecc6ae105ab5f9cc3a30960b7cabc6b68760c3ed3f1134df0329d4b7e4737b1400f56394ad162155055a08c07010a307e72d6a78e8fa3a6bf248b780b
-
SSDEEP
3072:Ie2A0wxDqUpM5scww4chO+O1BmP5DG0sg3i4XZ9WvDZHwdRX/L+gP38XV:IsxD5cwohO+O1sVG0/pZ6iPC8
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3588-53-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/3588-54-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/3588-52-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/3588-58-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe -
Executes dropped EXE 3 IoCs
Processes:
csrsll.execsrsll.execsrsll.exepid process 3976 csrsll.exe 3360 csrsll.exe 3588 csrsll.exe -
Processes:
resource yara_rule behavioral2/memory/5076-0-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/2464-9-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2464-10-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2464-7-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/5076-13-0x0000000000400000-0x0000000000454000-memory.dmp upx C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe upx C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe upx behavioral2/memory/3976-34-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/2464-38-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3588-44-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/3588-51-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/3588-53-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/2464-55-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3588-54-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/3588-52-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/3976-49-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/3976-39-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/3588-58-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/3360-57-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win Pdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrsll.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.execsrsll.exedescription pid process target process PID 5076 set thread context of 2464 5076 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe PID 3976 set thread context of 3360 3976 csrsll.exe csrsll.exe PID 3976 set thread context of 3588 3976 csrsll.exe csrsll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
csrsll.exedescription pid process Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe Token: SeDebugPrivilege 3360 csrsll.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.execsrsll.execsrsll.exepid process 5076 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe 2464 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe 3976 csrsll.exe 3360 csrsll.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.execmd.execsrsll.exedescription pid process target process PID 5076 wrote to memory of 2464 5076 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe PID 5076 wrote to memory of 2464 5076 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe PID 5076 wrote to memory of 2464 5076 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe PID 5076 wrote to memory of 2464 5076 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe PID 5076 wrote to memory of 2464 5076 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe PID 5076 wrote to memory of 2464 5076 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe PID 5076 wrote to memory of 2464 5076 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe PID 5076 wrote to memory of 2464 5076 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe PID 2464 wrote to memory of 1780 2464 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe cmd.exe PID 2464 wrote to memory of 1780 2464 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe cmd.exe PID 2464 wrote to memory of 1780 2464 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe cmd.exe PID 1780 wrote to memory of 1904 1780 cmd.exe reg.exe PID 1780 wrote to memory of 1904 1780 cmd.exe reg.exe PID 1780 wrote to memory of 1904 1780 cmd.exe reg.exe PID 2464 wrote to memory of 3976 2464 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe csrsll.exe PID 2464 wrote to memory of 3976 2464 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe csrsll.exe PID 2464 wrote to memory of 3976 2464 71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe csrsll.exe PID 3976 wrote to memory of 3360 3976 csrsll.exe csrsll.exe PID 3976 wrote to memory of 3360 3976 csrsll.exe csrsll.exe PID 3976 wrote to memory of 3360 3976 csrsll.exe csrsll.exe PID 3976 wrote to memory of 3360 3976 csrsll.exe csrsll.exe PID 3976 wrote to memory of 3360 3976 csrsll.exe csrsll.exe PID 3976 wrote to memory of 3360 3976 csrsll.exe csrsll.exe PID 3976 wrote to memory of 3360 3976 csrsll.exe csrsll.exe PID 3976 wrote to memory of 3360 3976 csrsll.exe csrsll.exe PID 3976 wrote to memory of 3588 3976 csrsll.exe csrsll.exe PID 3976 wrote to memory of 3588 3976 csrsll.exe csrsll.exe PID 3976 wrote to memory of 3588 3976 csrsll.exe csrsll.exe PID 3976 wrote to memory of 3588 3976 csrsll.exe csrsll.exe PID 3976 wrote to memory of 3588 3976 csrsll.exe csrsll.exe PID 3976 wrote to memory of 3588 3976 csrsll.exe csrsll.exe PID 3976 wrote to memory of 3588 3976 csrsll.exe csrsll.exe PID 3976 wrote to memory of 3588 3976 csrsll.exe csrsll.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\71523d4ed0a8d827f80c6d2e9ec825e0_NEAS.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KRVHF.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f4⤵
- Adds Run key to start application
PID:1904 -
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3360 -
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"4⤵
- Executes dropped EXE
PID:3588
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3104 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵PID:4384
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145B
MD54eb61ec7816c34ec8c125acadc57ec1b
SHA1b0015cc865c0bb1a027be663027d3829401a31cc
SHA25608375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff
SHA512f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1
-
Filesize
326KB
MD593307a8ca7644cd3ef83e305d1693ad8
SHA13ecf8e8bb3ae8c76ad2b96c8f81931ff723b8e83
SHA2565266671d91a45df381edc79cd5726861a481117f634b1bffec573331eff9bc22
SHA512831e4569d928f0862fab76436cf942f26efbb55e4bc28e0048fb53361c586b3388e1639198679691a6d39d0a49fac831eba29c5ac356133e99bc9cc8eb0c7ca3
-
Filesize
192KB
MD539410f0bf0691434d77c08916d029d46
SHA1dd10575b15aa729fc7e220ba4969508487983978
SHA2568d3a211c7053e62a669b291e4df3502f79142d57d9aa68d4bebe14436dd3a05d
SHA51223d228013738309659d8d96f97e47b7af59ba95f106d5cd35be8e82d96b77ad05d7868efb8e5ed25c7170c3cf6386762ff39c7fda6c36de0c9382bc955d09b2f