Overview

overview

10

Static

static

7

47a2a6900d...cs.exe

windows7-x64

10

47a2a6900d...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 23:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    47a2a6900dc4484c7d2245af0cf9fe80_NeikiAnalytics.exe

  • Size

    90KB

  • MD5

    47a2a6900dc4484c7d2245af0cf9fe80

  • SHA1

    cbef726c9093383917f91a09134209888f297f4a

  • SHA256

    b448f0b8a217e738a9ef616a6c9643c8384979cf11ccef704a462152469da5ea

  • SHA512

    09a607e3bf2deaa27f28d064ff8e42b14503b2e3f324d58d2f132f6e0e36a8c58090b8d3fcc6623b71044200d17ddaa836400b2401306e5ca931655d239500fb

  • SSDEEP

    1536:UiYwjQt6QJvzZsgDIWzm/xsXfv+hYhyQQyV5uv4JBrB7w5VRGulTG1ZCL8nj1oDK:0wjZQJvzZsgsW6/Afv+hYfQIm4/rdE3Y

Score
10/10
modiloaderpersistencetrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\47a2a6900dc4484c7d2245af0cf9fe80_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\47a2a6900dc4484c7d2245af0cf9fe80_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1028
    • C:\Users\Admin\AppData\Local\Temp\47a2a6900dc4484c7d2245af0cf9fe80_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\47a2a6900dc4484c7d2245af0cf9fe80_NeikiAnalytics.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WWJLG.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:860
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f
          4⤵
          • Adds Run key to start application
          PID:1924
      • C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1868
        • C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:596
        • C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
          4⤵
          • Executes dropped EXE
          PID:1196

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\WWJLG.bat
    Filesize

    145B

    MD5

    4eb61ec7816c34ec8c125acadc57ec1b

    SHA1

    b0015cc865c0bb1a027be663027d3829401a31cc

    SHA256

    08375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff

    SHA512

    f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1

    Download Submit
  • \Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
    Filesize

    90KB

    MD5

    496dd4f0108474e1ba9b2edaeceed674

    SHA1

    04f2649e60bf0841d43e6a31c143392fc08373d4

    SHA256

    a8ee0b5dd585e5c3eab4766b7b999e5c637ff358b165b8065684cccf0c834075

    SHA512

    d2a08b13ee1f93dfe01633097d1e876fbaba1779f6a22741a58df4fca85d36d6cb16cef812c7460591eb641a2cd99fddaf27ec3f1b544fb114e5445866c05464

    Download Submit
  • memory/596-253-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1028-69-0x0000000000300000-0x0000000000301000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1028-0-0x0000000000400000-0x0000000000453000-memory.dmp
    Filesize

    332KB

    Download
  • memory/1028-88-0x0000000000400000-0x0000000000453000-memory.dmp
    Filesize

    332KB

    Download
  • memory/1028-87-0x0000000000404000-0x0000000000405000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1028-89-0x00000000027B0000-0x0000000002803000-memory.dmp
    Filesize

    332KB

    Download
  • memory/1028-77-0x0000000000360000-0x0000000000362000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1028-59-0x00000000002E0000-0x00000000002E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1028-39-0x00000000002A0000-0x00000000002A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1028-27-0x0000000000280000-0x0000000000281000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1028-15-0x0000000000250000-0x0000000000251000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1028-3-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1028-5-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1028-105-0x0000000000400000-0x0000000000453000-memory.dmp
    Filesize

    332KB

    Download
  • memory/1196-254-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1196-242-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1868-160-0x00000000001E0000-0x00000000001E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1868-171-0x0000000000280000-0x0000000000281000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1868-205-0x0000000000400000-0x0000000000453000-memory.dmp
    Filesize

    332KB

    Download
  • memory/1868-244-0x0000000000400000-0x0000000000453000-memory.dmp
    Filesize

    332KB

    Download
  • memory/1868-150-0x00000000001C0000-0x00000000001C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1868-145-0x0000000000400000-0x0000000000453000-memory.dmp
    Filesize

    332KB

    Download
  • memory/2900-98-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2900-143-0x0000000003510000-0x0000000003563000-memory.dmp
    Filesize

    332KB

    Download
  • memory/2900-144-0x0000000003510000-0x0000000003563000-memory.dmp
    Filesize

    332KB

    Download
  • memory/2900-90-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2900-94-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2900-96-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2900-100-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2900-248-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2900-101-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2900-102-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2900-92-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download