Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 12:45
Behavioral task
behavioral1
Sample
863aa7600167704c4c8f6f73118584e0_NEAS.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
863aa7600167704c4c8f6f73118584e0_NEAS.exe
Resource
win10v2004-20240419-en
General
-
Target
863aa7600167704c4c8f6f73118584e0_NEAS.exe
-
Size
90KB
-
MD5
863aa7600167704c4c8f6f73118584e0
-
SHA1
d9ca386c22f0fb5400a8b92e94012822ec6926d0
-
SHA256
a25d757e31be69503740505aa15e3535499d17669b104b91ab191b434f957abf
-
SHA512
81eed09a5f4ae8f951938d2b4f67cfbd29f89aa681294ed5ccd968815c8ce3601b4f1e24872c914a7745856bde88e1f5446d93da01cb51c6dfc6cc6045350b64
-
SSDEEP
1536:UiYwjQt6QJvzZsgDIWzm/xsXfv+hYhyQQyV5uv4JBrB7w5VRGulTG1ZCL8nj1oDK:0wjZQJvzZsgsW6/Afv+hYfQIm4/rdE3Y
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1236-269-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 -
Executes dropped EXE 3 IoCs
Processes:
csrsll.execsrsll.execsrsll.exepid process 1664 csrsll.exe 1808 csrsll.exe 1236 csrsll.exe -
Loads dropped DLL 5 IoCs
Processes:
863aa7600167704c4c8f6f73118584e0_NEAS.exepid process 1652 863aa7600167704c4c8f6f73118584e0_NEAS.exe 1652 863aa7600167704c4c8f6f73118584e0_NEAS.exe 1652 863aa7600167704c4c8f6f73118584e0_NEAS.exe 1652 863aa7600167704c4c8f6f73118584e0_NEAS.exe 1652 863aa7600167704c4c8f6f73118584e0_NEAS.exe -
Processes:
resource yara_rule behavioral1/memory/2892-0-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2892-94-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2892-91-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1652-109-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1652-113-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1652-111-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2892-107-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2892-105-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1652-103-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1652-99-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1652-97-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2892-84-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2892-83-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2892-82-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2892-79-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2892-67-0x0000000000400000-0x0000000000453000-memory.dmp upx \Users\Admin\AppData\Roaming\Microsoft\csrsll.exe upx behavioral1/memory/1652-140-0x0000000002D30000-0x0000000002D83000-memory.dmp upx behavioral1/memory/1664-156-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1652-159-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1664-228-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1652-263-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1664-257-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1236-255-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral1/memory/1808-254-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1808-268-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1236-269-0x0000000000400000-0x0000000000414000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win Pdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrsll.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
863aa7600167704c4c8f6f73118584e0_NEAS.execsrsll.exedescription pid process target process PID 2892 set thread context of 1652 2892 863aa7600167704c4c8f6f73118584e0_NEAS.exe 863aa7600167704c4c8f6f73118584e0_NEAS.exe PID 1664 set thread context of 1808 1664 csrsll.exe csrsll.exe PID 1664 set thread context of 1236 1664 csrsll.exe csrsll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
csrsll.exedescription pid process Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe Token: SeDebugPrivilege 1808 csrsll.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
863aa7600167704c4c8f6f73118584e0_NEAS.exe863aa7600167704c4c8f6f73118584e0_NEAS.execsrsll.execsrsll.exepid process 2892 863aa7600167704c4c8f6f73118584e0_NEAS.exe 1652 863aa7600167704c4c8f6f73118584e0_NEAS.exe 1664 csrsll.exe 1808 csrsll.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
863aa7600167704c4c8f6f73118584e0_NEAS.exe863aa7600167704c4c8f6f73118584e0_NEAS.execmd.execsrsll.exedescription pid process target process PID 2892 wrote to memory of 1652 2892 863aa7600167704c4c8f6f73118584e0_NEAS.exe 863aa7600167704c4c8f6f73118584e0_NEAS.exe PID 2892 wrote to memory of 1652 2892 863aa7600167704c4c8f6f73118584e0_NEAS.exe 863aa7600167704c4c8f6f73118584e0_NEAS.exe PID 2892 wrote to memory of 1652 2892 863aa7600167704c4c8f6f73118584e0_NEAS.exe 863aa7600167704c4c8f6f73118584e0_NEAS.exe PID 2892 wrote to memory of 1652 2892 863aa7600167704c4c8f6f73118584e0_NEAS.exe 863aa7600167704c4c8f6f73118584e0_NEAS.exe PID 2892 wrote to memory of 1652 2892 863aa7600167704c4c8f6f73118584e0_NEAS.exe 863aa7600167704c4c8f6f73118584e0_NEAS.exe PID 2892 wrote to memory of 1652 2892 863aa7600167704c4c8f6f73118584e0_NEAS.exe 863aa7600167704c4c8f6f73118584e0_NEAS.exe PID 2892 wrote to memory of 1652 2892 863aa7600167704c4c8f6f73118584e0_NEAS.exe 863aa7600167704c4c8f6f73118584e0_NEAS.exe PID 2892 wrote to memory of 1652 2892 863aa7600167704c4c8f6f73118584e0_NEAS.exe 863aa7600167704c4c8f6f73118584e0_NEAS.exe PID 1652 wrote to memory of 2700 1652 863aa7600167704c4c8f6f73118584e0_NEAS.exe cmd.exe PID 1652 wrote to memory of 2700 1652 863aa7600167704c4c8f6f73118584e0_NEAS.exe cmd.exe PID 1652 wrote to memory of 2700 1652 863aa7600167704c4c8f6f73118584e0_NEAS.exe cmd.exe PID 1652 wrote to memory of 2700 1652 863aa7600167704c4c8f6f73118584e0_NEAS.exe cmd.exe PID 2700 wrote to memory of 2732 2700 cmd.exe reg.exe PID 2700 wrote to memory of 2732 2700 cmd.exe reg.exe PID 2700 wrote to memory of 2732 2700 cmd.exe reg.exe PID 2700 wrote to memory of 2732 2700 cmd.exe reg.exe PID 1652 wrote to memory of 1664 1652 863aa7600167704c4c8f6f73118584e0_NEAS.exe csrsll.exe PID 1652 wrote to memory of 1664 1652 863aa7600167704c4c8f6f73118584e0_NEAS.exe csrsll.exe PID 1652 wrote to memory of 1664 1652 863aa7600167704c4c8f6f73118584e0_NEAS.exe csrsll.exe PID 1652 wrote to memory of 1664 1652 863aa7600167704c4c8f6f73118584e0_NEAS.exe csrsll.exe PID 1664 wrote to memory of 1808 1664 csrsll.exe csrsll.exe PID 1664 wrote to memory of 1808 1664 csrsll.exe csrsll.exe PID 1664 wrote to memory of 1808 1664 csrsll.exe csrsll.exe PID 1664 wrote to memory of 1808 1664 csrsll.exe csrsll.exe PID 1664 wrote to memory of 1808 1664 csrsll.exe csrsll.exe PID 1664 wrote to memory of 1808 1664 csrsll.exe csrsll.exe PID 1664 wrote to memory of 1808 1664 csrsll.exe csrsll.exe PID 1664 wrote to memory of 1808 1664 csrsll.exe csrsll.exe PID 1664 wrote to memory of 1236 1664 csrsll.exe csrsll.exe PID 1664 wrote to memory of 1236 1664 csrsll.exe csrsll.exe PID 1664 wrote to memory of 1236 1664 csrsll.exe csrsll.exe PID 1664 wrote to memory of 1236 1664 csrsll.exe csrsll.exe PID 1664 wrote to memory of 1236 1664 csrsll.exe csrsll.exe PID 1664 wrote to memory of 1236 1664 csrsll.exe csrsll.exe PID 1664 wrote to memory of 1236 1664 csrsll.exe csrsll.exe PID 1664 wrote to memory of 1236 1664 csrsll.exe csrsll.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\863aa7600167704c4c8f6f73118584e0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\863aa7600167704c4c8f6f73118584e0_NEAS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\863aa7600167704c4c8f6f73118584e0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\863aa7600167704c4c8f6f73118584e0_NEAS.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\PBKBT.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f4⤵
- Adds Run key to start application
PID:2732 -
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1808 -
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"4⤵
- Executes dropped EXE
PID:1236
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145B
MD54eb61ec7816c34ec8c125acadc57ec1b
SHA1b0015cc865c0bb1a027be663027d3829401a31cc
SHA25608375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff
SHA512f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1
-
Filesize
90KB
MD53b5aa559afa21267381b22eca32719dc
SHA1199f077e6d1f2ccdb8663a99e15473f8cf3e3073
SHA25697339c3c9a1328acae1e412c4a602480a279de53b2be55603cf908aa953ae65c
SHA512a44d7fe1b4706a390e98e2aff6e248fa67d1484e313bcaedd5c2bf949079195d4ea28fa6affe657c37af0dc66316498a72b24607c0108706ed32ec9b065df79c