modiloader | c2063d84e01207eda86531f210a35db0ae10eae694b77b91c1c82054e7d372ac

General

Target

c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe
Size

90KB
MD5

c5a389b484f3b1a029ef74598bfa4ce0
SHA1

adcce54ba9f4eb82a70f5ad6473b5d69ddccca59
SHA256

c2063d84e01207eda86531f210a35db0ae10eae694b77b91c1c82054e7d372ac
SHA512

fe6197c38dd274b7e92097b5af7321da67a3527d01a49b5ba5f618dfd3d86dec6e6da36a218806c28ab1b7fc8b60b06c979e0ea169f246c36ad49fbdbd543f7f
SSDEEP

1536:UiYwjQt6QJvzZsgDIWzm/xsXfv+hYhyQQyV5uv4JBrB7w5VRGulTG1ZCL8nj1oDK:0wjZQJvzZsgsW6/Afv+hYfQIm4/rdE3Y

Score

10^/10

modiloader persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3908-54-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/3908-55-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/3908-56-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/3908-60-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe

Executes dropped EXE 3 IoCs

Processes:

csrsll.execsrsll.execsrsll.exe

pid process

1360 csrsll.exe
1608 csrsll.exe
3908 csrsll.exe

pid	process
1360	csrsll.exe
1608	csrsll.exe
3908	csrsll.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2532-0-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/776-3-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/776-9-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2532-11-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/776-12-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe	upx
behavioral2/memory/1360-37-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1360-40-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3908-46-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/1360-43-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3908-52-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/1360-53-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3908-54-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/3908-55-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/3908-56-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/776-58-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1608-59-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3908-60-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win Pdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrsll.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.execsrsll.exe

description	pid	process	target process
PID 2532 set thread context of 776	2532	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe
PID 1360 set thread context of 1608	1360	csrsll.exe	csrsll.exe
PID 1360 set thread context of 3908	1360	csrsll.exe	csrsll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

csrsll.exe

description	pid	process
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe
Token: SeDebugPrivilege	1608	csrsll.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exec5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.execsrsll.execsrsll.exe

pid process

2532 c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe
776 c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe
1360 csrsll.exe
1608 csrsll.exe

pid	process
2532	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe
776	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe
1360	csrsll.exe
1608	csrsll.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exec5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.execmd.execsrsll.exe

description	pid	process	target process
PID 2532 wrote to memory of 776	2532	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe
PID 2532 wrote to memory of 776	2532	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe
PID 2532 wrote to memory of 776	2532	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe
PID 2532 wrote to memory of 776	2532	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe
PID 2532 wrote to memory of 776	2532	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe
PID 2532 wrote to memory of 776	2532	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe
PID 2532 wrote to memory of 776	2532	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe
PID 2532 wrote to memory of 776	2532	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe
PID 776 wrote to memory of 4420	776	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe	cmd.exe
PID 776 wrote to memory of 4420	776	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe	cmd.exe
PID 776 wrote to memory of 4420	776	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe	cmd.exe
PID 4420 wrote to memory of 5100	4420	cmd.exe	reg.exe
PID 4420 wrote to memory of 5100	4420	cmd.exe	reg.exe
PID 4420 wrote to memory of 5100	4420	cmd.exe	reg.exe
PID 776 wrote to memory of 1360	776	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe	csrsll.exe
PID 776 wrote to memory of 1360	776	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe	csrsll.exe
PID 776 wrote to memory of 1360	776	c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe	csrsll.exe
PID 1360 wrote to memory of 1608	1360	csrsll.exe	csrsll.exe
PID 1360 wrote to memory of 1608	1360	csrsll.exe	csrsll.exe
PID 1360 wrote to memory of 1608	1360	csrsll.exe	csrsll.exe
PID 1360 wrote to memory of 1608	1360	csrsll.exe	csrsll.exe
PID 1360 wrote to memory of 1608	1360	csrsll.exe	csrsll.exe
PID 1360 wrote to memory of 1608	1360	csrsll.exe	csrsll.exe
PID 1360 wrote to memory of 1608	1360	csrsll.exe	csrsll.exe
PID 1360 wrote to memory of 1608	1360	csrsll.exe	csrsll.exe
PID 1360 wrote to memory of 3908	1360	csrsll.exe	csrsll.exe
PID 1360 wrote to memory of 3908	1360	csrsll.exe	csrsll.exe
PID 1360 wrote to memory of 3908	1360	csrsll.exe	csrsll.exe
PID 1360 wrote to memory of 3908	1360	csrsll.exe	csrsll.exe
PID 1360 wrote to memory of 3908	1360	csrsll.exe	csrsll.exe
PID 1360 wrote to memory of 3908	1360	csrsll.exe	csrsll.exe
PID 1360 wrote to memory of 3908	1360	csrsll.exe	csrsll.exe
PID 1360 wrote to memory of 3908	1360	csrsll.exe	csrsll.exe

C:\Users\Admin\AppData\Local\Temp\c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532

C:\Users\Admin\AppData\Local\Temp\c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c5a389b484f3b1a029ef74598bfa4ce0_NeikiAnalytics.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKPBD.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f
4⤵
- Adds Run key to start application
PID:5100

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1360

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1608

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
4⤵
- Executes dropped EXE
PID:3908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4220,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=3836 /prefetch:8
1⤵
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EKPBD.txt
Filesize
145B

MD5
4eb61ec7816c34ec8c125acadc57ec1b

SHA1
b0015cc865c0bb1a027be663027d3829401a31cc

SHA256
08375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff

SHA512
f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
Filesize
90KB

MD5
d54315d01ab645c4ac1ce95e4f00930c

SHA1
df83a554daf10bcfe9459b6f758e0c57fe998e49

SHA256
1bb7987e2f5d537171dd7dfef60c0281b369cd580a8b27ed0baf4987d25a46d1

SHA512
bc681080b272845eaad0afddbac314db245c57da0914e1bd6250656a1afa0032970e2882991de7c5ae8c41d9f46526e1e384f4cfbef1f9515e33631ad51925f0

Download Submit
memory/776-3-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/776-9-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/776-58-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/776-12-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1360-37-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1360-53-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1360-43-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1360-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1608-59-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2532-7-0x00000000022F0000-0x00000000022F2000-memory.dmp

Filesize
8KB

Download
memory/2532-4-0x00000000021C0000-0x00000000021C2000-memory.dmp

Filesize
8KB

Download
memory/2532-5-0x00000000022E0000-0x00000000022E2000-memory.dmp

Filesize
8KB

Download
memory/2532-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2532-8-0x0000000002300000-0x0000000002302000-memory.dmp

Filesize
8KB

Download
memory/2532-11-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3908-46-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3908-52-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3908-54-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3908-55-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3908-56-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3908-60-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads