modiloader | 91eff4f2865924915babf9f46867c1662d78a9e24217a2c3ff1e4cb6e6de19d7

General

Target

8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe
Size

326KB
MD5

8a67cd938d366a2e56e3534f145d6cc0
SHA1

51b3f3e1bf41afb56373fa6de3be5cd19bed71c6
SHA256

91eff4f2865924915babf9f46867c1662d78a9e24217a2c3ff1e4cb6e6de19d7
SHA512

1372a0984515de974d67f02f3145eb19cd6e09137b76eb9b48f28afa56c036b4776b804fbbe74f71a1aa319d30f1c4b3f26474a0ae452728462ddf5e653fca12
SSDEEP

3072:Ie2A0wxDqUpM5scww4chO+O1BmP5DG0sg3i4XZ9WvDZHwdRX/L+gP38XV:IsxD5cwohO+O1sVG0/pZ6iPC8

Score

10^/10

modiloader persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/336-51-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/336-50-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/336-48-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/336-55-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe

Executes dropped EXE 3 IoCs

Processes:

csrsll.execsrsll.execsrsll.exe

pid process

3316 csrsll.exe
4640 csrsll.exe
336 csrsll.exe

pid	process
3316	csrsll.exe
4640	csrsll.exe
336	csrsll.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4692-0-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/2056-4-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4692-7-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/2056-9-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2056-6-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe	upx
behavioral2/memory/3316-32-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/336-46-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/336-45-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/3316-44-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/336-51-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/336-50-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/336-48-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/336-39-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/2056-52-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4640-54-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/336-55-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win Pdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrsll.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.execsrsll.exe

description	pid	process	target process
PID 4692 set thread context of 2056	4692	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe
PID 3316 set thread context of 4640	3316	csrsll.exe	csrsll.exe
PID 3316 set thread context of 336	3316	csrsll.exe	csrsll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

csrsll.exe

description	pid	process
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe
Token: SeDebugPrivilege	4640	csrsll.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.execsrsll.execsrsll.exe

pid process

4692 8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe
2056 8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe
3316 csrsll.exe
4640 csrsll.exe

pid	process
4692	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe
2056	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe
3316	csrsll.exe
4640	csrsll.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.execmd.execsrsll.exe

description	pid	process	target process
PID 4692 wrote to memory of 2056	4692	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe
PID 4692 wrote to memory of 2056	4692	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe
PID 4692 wrote to memory of 2056	4692	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe
PID 4692 wrote to memory of 2056	4692	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe
PID 4692 wrote to memory of 2056	4692	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe
PID 4692 wrote to memory of 2056	4692	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe
PID 4692 wrote to memory of 2056	4692	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe
PID 4692 wrote to memory of 2056	4692	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe
PID 2056 wrote to memory of 2528	2056	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe	cmd.exe
PID 2056 wrote to memory of 2528	2056	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe	cmd.exe
PID 2056 wrote to memory of 2528	2056	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe	cmd.exe
PID 2528 wrote to memory of 4912	2528	cmd.exe	reg.exe
PID 2528 wrote to memory of 4912	2528	cmd.exe	reg.exe
PID 2528 wrote to memory of 4912	2528	cmd.exe	reg.exe
PID 2056 wrote to memory of 3316	2056	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe	csrsll.exe
PID 2056 wrote to memory of 3316	2056	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe	csrsll.exe
PID 2056 wrote to memory of 3316	2056	8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe	csrsll.exe
PID 3316 wrote to memory of 4640	3316	csrsll.exe	csrsll.exe
PID 3316 wrote to memory of 4640	3316	csrsll.exe	csrsll.exe
PID 3316 wrote to memory of 4640	3316	csrsll.exe	csrsll.exe
PID 3316 wrote to memory of 4640	3316	csrsll.exe	csrsll.exe
PID 3316 wrote to memory of 4640	3316	csrsll.exe	csrsll.exe
PID 3316 wrote to memory of 4640	3316	csrsll.exe	csrsll.exe
PID 3316 wrote to memory of 4640	3316	csrsll.exe	csrsll.exe
PID 3316 wrote to memory of 4640	3316	csrsll.exe	csrsll.exe
PID 3316 wrote to memory of 336	3316	csrsll.exe	csrsll.exe
PID 3316 wrote to memory of 336	3316	csrsll.exe	csrsll.exe
PID 3316 wrote to memory of 336	3316	csrsll.exe	csrsll.exe
PID 3316 wrote to memory of 336	3316	csrsll.exe	csrsll.exe
PID 3316 wrote to memory of 336	3316	csrsll.exe	csrsll.exe
PID 3316 wrote to memory of 336	3316	csrsll.exe	csrsll.exe
PID 3316 wrote to memory of 336	3316	csrsll.exe	csrsll.exe
PID 3316 wrote to memory of 336	3316	csrsll.exe	csrsll.exe

C:\Users\Admin\AppData\Local\Temp\8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4692

C:\Users\Admin\AppData\Local\Temp\8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8a67cd938d366a2e56e3534f145d6cc0_NeikiAnalytics.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ITYVJ.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f
4⤵
- Adds Run key to start application
PID:4912

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3316

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4640

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
4⤵
- Executes dropped EXE
PID:336

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ITYVJ.txt
Filesize
145B

MD5
4eb61ec7816c34ec8c125acadc57ec1b

SHA1
b0015cc865c0bb1a027be663027d3829401a31cc

SHA256
08375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff

SHA512
f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
Filesize
326KB

MD5
1424c46bbe61202818d04d1bbbd0b129

SHA1
5f5145ddd0263f8b532b3cafcc0e291d9904cbda

SHA256
028f743ad05dbc5e4ded59b260ea11ab6f69c651019b49763648f4eaadc5ff85

SHA512
5885dbb966488be2cdb50f95a42915d89c8f0363a6c452adeae32b6d8a94f6ae6cd9153822afdcd22e464908c8ca2ade5749e37b2f44b964e4a4c1d685695f77

Download Submit
memory/336-46-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/336-55-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/336-39-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/336-48-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/336-50-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/336-51-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/336-45-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2056-9-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2056-6-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2056-4-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2056-52-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3316-32-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3316-44-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4640-54-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4692-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4692-7-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4692-3-0x0000000002A20000-0x0000000002A22000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads