modiloader | f34544761ede1c4ea91370d0db4b5dde08dd5ed4429e9366c2158af6c0bc0ec7

General

Target

d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe
Size

130KB
MD5

d10205193a66bac2d6512cda08420ee0
SHA1

7cd6b5025f316189b172959177961a133f888a0f
SHA256

f34544761ede1c4ea91370d0db4b5dde08dd5ed4429e9366c2158af6c0bc0ec7
SHA512

6ddec456578f0bb170466bd12615caa2919cf04d3a613b7a0598564f1a8e68f34ae48b95c4744d35f0a94d5e94fc88afc1485ca8988870fceff00660b66fd98f
SSDEEP

1536:eH1ZaQvR1KiX3NK6I+hZhYrt/w5Q6G6IpiRYzz9qJHhhnm0yG5aP/5UROXTmo:SKQJcinxphkG5Q6GdpIOkJHhKRyOXK

Score

10^/10

modiloader persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/64-52-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral2/memory/64-49-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral2/memory/64-53-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral2/memory/64-58-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral2/memory/64-59-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral2/memory/64-63-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe

Executes dropped EXE 3 IoCs

Processes:

Flaseher.exeFlaseher.exeFlaseher.exe

pid process

964 Flaseher.exe
4436 Flaseher.exe
64 Flaseher.exe

pid	process
964	Flaseher.exe
4436	Flaseher.exe
64	Flaseher.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3108-0-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3108-6-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3140-9-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3140-11-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3140-13-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3108-16-0x0000000000400000-0x0000000000423000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe	upx
behavioral2/memory/964-37-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3140-41-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/964-42-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/964-43-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/964-44-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/964-57-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3140-60-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4436-62-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.Flasfh = "C:\\Users\\Admin\\AppData\\Roaming\\..Flash\\Flaseher.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exeFlaseher.exe

description	pid	process	target process
PID 3108 set thread context of 3140	3108	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe
PID 964 set thread context of 4436	964	Flaseher.exe	Flaseher.exe
PID 964 set thread context of 64	964	Flaseher.exe	Flaseher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Flaseher.exe

description	pid	process
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe
Token: SeDebugPrivilege	4436	Flaseher.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exed10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exeFlaseher.exeFlaseher.exe

pid	process
3108	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe
3140	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe
964	Flaseher.exe
4436	Flaseher.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exed10205193a66bac2d6512cda08420ee0_NeikiAnalytics.execmd.exeFlaseher.exe

description	pid	process	target process
PID 3108 wrote to memory of 3140	3108	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe
PID 3108 wrote to memory of 3140	3108	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe
PID 3108 wrote to memory of 3140	3108	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe
PID 3108 wrote to memory of 3140	3108	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe
PID 3108 wrote to memory of 3140	3108	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe
PID 3108 wrote to memory of 3140	3108	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe
PID 3108 wrote to memory of 3140	3108	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe
PID 3108 wrote to memory of 3140	3108	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe
PID 3140 wrote to memory of 3228	3140	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe	cmd.exe
PID 3140 wrote to memory of 3228	3140	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe	cmd.exe
PID 3140 wrote to memory of 3228	3140	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe	cmd.exe
PID 3228 wrote to memory of 1624	3228	cmd.exe	reg.exe
PID 3228 wrote to memory of 1624	3228	cmd.exe	reg.exe
PID 3228 wrote to memory of 1624	3228	cmd.exe	reg.exe
PID 3140 wrote to memory of 964	3140	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe	Flaseher.exe
PID 3140 wrote to memory of 964	3140	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe	Flaseher.exe
PID 3140 wrote to memory of 964	3140	d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe	Flaseher.exe
PID 964 wrote to memory of 4436	964	Flaseher.exe	Flaseher.exe
PID 964 wrote to memory of 4436	964	Flaseher.exe	Flaseher.exe
PID 964 wrote to memory of 4436	964	Flaseher.exe	Flaseher.exe
PID 964 wrote to memory of 4436	964	Flaseher.exe	Flaseher.exe
PID 964 wrote to memory of 4436	964	Flaseher.exe	Flaseher.exe
PID 964 wrote to memory of 4436	964	Flaseher.exe	Flaseher.exe
PID 964 wrote to memory of 4436	964	Flaseher.exe	Flaseher.exe
PID 964 wrote to memory of 4436	964	Flaseher.exe	Flaseher.exe
PID 964 wrote to memory of 64	964	Flaseher.exe	Flaseher.exe
PID 964 wrote to memory of 64	964	Flaseher.exe	Flaseher.exe
PID 964 wrote to memory of 64	964	Flaseher.exe	Flaseher.exe
PID 964 wrote to memory of 64	964	Flaseher.exe	Flaseher.exe
PID 964 wrote to memory of 64	964	Flaseher.exe	Flaseher.exe
PID 964 wrote to memory of 64	964	Flaseher.exe	Flaseher.exe
PID 964 wrote to memory of 64	964	Flaseher.exe	Flaseher.exe
PID 964 wrote to memory of 64	964	Flaseher.exe	Flaseher.exe
PID 964 wrote to memory of 64	964	Flaseher.exe	Flaseher.exe
PID 964 wrote to memory of 64	964	Flaseher.exe	Flaseher.exe
PID 964 wrote to memory of 64	964	Flaseher.exe	Flaseher.exe
PID 964 wrote to memory of 64	964	Flaseher.exe	Flaseher.exe
PID 964 wrote to memory of 64	964	Flaseher.exe	Flaseher.exe

C:\Users\Admin\AppData\Local\Temp\d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3108

C:\Users\Admin\AppData\Local\Temp\d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d10205193a66bac2d6512cda08420ee0_NeikiAnalytics.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JXWIQ.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v ".Flasfh" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe" /f
4⤵
- Adds Run key to start application
PID:1624

C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe
"C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:964

C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe
"C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4436

C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe
"C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"
4⤵
- Executes dropped EXE
PID:64

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:628

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JXWIQ.txt
Filesize
145B

MD5
da0cbe87b720a79b294147ed6a4b98be

SHA1
ebf0dc9efd7a12cb192e355cda87546acb4ab360

SHA256
7ccfeff356fdccc9145bd1e263aa1c56360ca7b6552ed5a5665c596d02a627ed

SHA512
f55c4a3d24d2f11db5eda3c816d1cd3b8804a171a7bf715b13d60788247fbb352eafaa5bd4e0a8086c1013396be0a48c7bdb904ab0f974fa0c75e81e3d365acc

Download Submit
C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe
Filesize
130KB

MD5
91efa549f86e879124bffde3e5d8a4ec

SHA1
9bb385c8d657ec03ee7d6a5ba40265ee0d92e422

SHA256
1056e6de223e58b23818580d165e1c02334a7aef9a479f1e04067cc34e074873

SHA512
0ca728001014287edafb8758ef93abb76d473d0a21eb1a7991f91b2ff35c814b6a359fe5529ea6c98f00e5301fef0edcabdbb31a7b5cc0a1c30d62d521372e18

Download Submit
memory/64-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/64-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/64-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/64-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/64-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/64-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/964-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/964-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/964-42-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/964-43-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/964-37-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3108-5-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/3108-6-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3108-7-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/3108-4-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

Filesize
4KB

Download
memory/3108-3-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/3108-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3108-8-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

Filesize
4KB

Download
memory/3108-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3140-13-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3140-9-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3140-11-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3140-60-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3140-41-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4436-62-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads