Overview

overview

10

Static

static

7

a2d2677702...cs.exe

windows7-x64

10

a2d2677702...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2024 06:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a2d26777029a0632c4f03c17dc50d510_NeikiAnalytics.exe

  • Size

    90KB

  • MD5

    a2d26777029a0632c4f03c17dc50d510

  • SHA1

    933a17606c4f9ef4471b5a9a515e966c83dd61dd

  • SHA256

    c7630dba78be6069d9f3f34dc8ae89ba50e8e3f987ae79ecdd07ad531d60d904

  • SHA512

    21fd9e7dedeeac534e72a55f2d154415d7fe48d5c0ebc5446718f14c787ea0950caab52ab4d969762125a4f0429bb59d5cce8e8b072f5d56cde6169a473d69dc

  • SSDEEP

    1536:UiYwjQt6QJvzZsgDIWzm/xsXfv+hYhyQQyV5uv4JBrB7w5VRGulTG1ZCL8nj1oDK:0wjZQJvzZsgsW6/Afv+hYfQIm4/rdE3Y

Score
10/10
modiloaderpersistencetrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2d26777029a0632c4f03c17dc50d510_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\a2d26777029a0632c4f03c17dc50d510_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4200
    • C:\Users\Admin\AppData\Local\Temp\a2d26777029a0632c4f03c17dc50d510_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\a2d26777029a0632c4f03c17dc50d510_NeikiAnalytics.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4484
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYCPF.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3184
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f
          4⤵
          • Adds Run key to start application
          PID:4900
      • C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4624
        • C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4396
        • C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
          4⤵
          • Executes dropped EXE
          PID:3884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DYCPF.txt
    Filesize

    145B

    MD5

    4eb61ec7816c34ec8c125acadc57ec1b

    SHA1

    b0015cc865c0bb1a027be663027d3829401a31cc

    SHA256

    08375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff

    SHA512

    f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
    Filesize

    90KB

    MD5

    5da008d454b4777f5aa02e2ac35e8d2b

    SHA1

    8200fcd5194d8466c86b5d3f362764162c39c8fa

    SHA256

    6f086a2c81e75331745734809a41133fdb6a25bcc5b348530e60d7d8d9adfef0

    SHA512

    8f1113aa159860867676052141ca3bd3edc26e760a9fe0c57c3dcfbb062aec008bc8207a0cb249b682793ecb6ce2439c604db794ffc3532e640f3b550e68809f

    Download Submit
  • memory/3884-51-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/3884-40-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/3884-59-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/3884-46-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/3884-50-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/3884-53-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/3884-48-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/4200-4-0x0000000002A20000-0x0000000002A22000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4200-10-0x0000000000400000-0x0000000000453000-memory.dmp
    Filesize

    332KB

    Download
  • memory/4200-0-0x0000000000400000-0x0000000000453000-memory.dmp
    Filesize

    332KB

    Download
  • memory/4200-6-0x0000000002A40000-0x0000000002A42000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4200-7-0x0000000002A50000-0x0000000002A52000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4200-5-0x0000000002A30000-0x0000000002A32000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4396-58-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/4484-3-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/4484-57-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/4484-11-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/4484-55-0x0000000000410000-0x00000000004D9000-memory.dmp
    Filesize

    804KB

    Download
  • memory/4484-9-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/4624-35-0x0000000000400000-0x0000000000453000-memory.dmp
    Filesize

    332KB

    Download
  • memory/4624-47-0x0000000000400000-0x0000000000453000-memory.dmp
    Filesize

    332KB

    Download