modiloader | 2d350e90d6793d58fdd6735427b4d40acf9e31e5bd805ddf4ccf370630fa1c20

General

Target

1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe
Size

308KB
MD5

1c6da8a2ee509fff79cd24a2630360d0
SHA1

385b27e4121ccb3d83c52e36891a0da34a90ce9d
SHA256

2d350e90d6793d58fdd6735427b4d40acf9e31e5bd805ddf4ccf370630fa1c20
SHA512

0fa60c44ec849bc27bb6c54283410875e4eb7190d2f1b188d3a3c0a5944c24f6537d99c4f8d63e82484bebac46f55f05eddb89eb24555b3627b0b8727c6bf8ec
SSDEEP

3072:/c3sBG7mXh7m/zZM3jAbNOM6CNtDCZFL:E3sBz0Z4Mj72F

Score

10^/10

modiloader persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/110504-147849-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

Processes:

csrsll.execsrsll.execsrsll.exe

pid process

119476 csrsll.exe
110020 csrsll.exe
110504 csrsll.exe

pid	process
119476	csrsll.exe
110020	csrsll.exe
110504	csrsll.exe

Loads dropped DLL 5 IoCs

Processes:

1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe

pid	process
119264	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe
119264	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe
119264	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe
119264	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe
119264	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/119264-73923-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/119264-73924-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/119264-73925-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/119264-73921-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/119264-73918-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/119264-114323-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/119264-147842-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/110504-147835-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/110020-147848-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/110504-147849-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win Pdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrsll.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.execsrsll.exe

description	pid	process	target process
PID 1976 set thread context of 119264	1976	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe
PID 119476 set thread context of 110020	119476	csrsll.exe	csrsll.exe
PID 119476 set thread context of 110504	119476	csrsll.exe	csrsll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

csrsll.exe

description	pid	process
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe
Token: SeDebugPrivilege	110020	csrsll.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.execsrsll.execsrsll.exe

pid	process
1976	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe
119264	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe
119476	csrsll.exe
110020	csrsll.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.execmd.execsrsll.exe

description	pid	process	target process
PID 1976 wrote to memory of 119264	1976	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe
PID 1976 wrote to memory of 119264	1976	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe
PID 1976 wrote to memory of 119264	1976	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe
PID 1976 wrote to memory of 119264	1976	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe
PID 1976 wrote to memory of 119264	1976	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe
PID 1976 wrote to memory of 119264	1976	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe
PID 1976 wrote to memory of 119264	1976	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe
PID 1976 wrote to memory of 119264	1976	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe
PID 119264 wrote to memory of 119400	119264	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe	cmd.exe
PID 119264 wrote to memory of 119400	119264	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe	cmd.exe
PID 119264 wrote to memory of 119400	119264	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe	cmd.exe
PID 119264 wrote to memory of 119400	119264	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe	cmd.exe
PID 119400 wrote to memory of 119452	119400	cmd.exe	reg.exe
PID 119400 wrote to memory of 119452	119400	cmd.exe	reg.exe
PID 119400 wrote to memory of 119452	119400	cmd.exe	reg.exe
PID 119400 wrote to memory of 119452	119400	cmd.exe	reg.exe
PID 119264 wrote to memory of 119476	119264	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe	csrsll.exe
PID 119264 wrote to memory of 119476	119264	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe	csrsll.exe
PID 119264 wrote to memory of 119476	119264	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe	csrsll.exe
PID 119264 wrote to memory of 119476	119264	1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe	csrsll.exe
PID 119476 wrote to memory of 110020	119476	csrsll.exe	csrsll.exe
PID 119476 wrote to memory of 110020	119476	csrsll.exe	csrsll.exe
PID 119476 wrote to memory of 110020	119476	csrsll.exe	csrsll.exe
PID 119476 wrote to memory of 110020	119476	csrsll.exe	csrsll.exe
PID 119476 wrote to memory of 110020	119476	csrsll.exe	csrsll.exe
PID 119476 wrote to memory of 110020	119476	csrsll.exe	csrsll.exe
PID 119476 wrote to memory of 110020	119476	csrsll.exe	csrsll.exe
PID 119476 wrote to memory of 110020	119476	csrsll.exe	csrsll.exe
PID 119476 wrote to memory of 110504	119476	csrsll.exe	csrsll.exe
PID 119476 wrote to memory of 110504	119476	csrsll.exe	csrsll.exe
PID 119476 wrote to memory of 110504	119476	csrsll.exe	csrsll.exe
PID 119476 wrote to memory of 110504	119476	csrsll.exe	csrsll.exe
PID 119476 wrote to memory of 110504	119476	csrsll.exe	csrsll.exe
PID 119476 wrote to memory of 110504	119476	csrsll.exe	csrsll.exe
PID 119476 wrote to memory of 110504	119476	csrsll.exe	csrsll.exe
PID 119476 wrote to memory of 110504	119476	csrsll.exe	csrsll.exe

C:\Users\Admin\AppData\Local\Temp\1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\Temp\1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1c6da8a2ee509fff79cd24a2630360d0_NeikiAnalytics.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:119264

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QSEIN.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:119400

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f
4⤵
- Adds Run key to start application
PID:119452

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:119476

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:110020

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
4⤵
- Executes dropped EXE
PID:110504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QSEIN.bat
Filesize
145B

MD5
4eb61ec7816c34ec8c125acadc57ec1b

SHA1
b0015cc865c0bb1a027be663027d3829401a31cc

SHA256
08375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff

SHA512
f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
Filesize
308KB

MD5
28c0c3cafef27804fa55921fff35d6d2

SHA1
0b215fbbc285e4b93452b1ec692b31330d8b2197

SHA256
4adc695d008b97b75548fd2842861748517389d6278237bc8212c46b546bc283

SHA512
77c9c2aff0e7b7f3a655126513deddfa7bd86665b29643e128e77719eac8f466a5cb54734b9fd43e1e22fe195f672873965743eb73af522774f83f1c615538b4

Download Submit
memory/1976-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1976-3-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/110020-147848-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/110504-147849-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/110504-147835-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/119264-73917-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/119264-73918-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/119264-73921-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/119264-73922-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/119264-114323-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/119264-147842-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/119264-73925-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/119264-73924-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/119264-73923-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/119476-73965-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads