modiloader | 597abfd64e5cec3bf8650a632332bdd345027c4666f41a89290e62987d4df3b1

General

Target

befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe
Size

35KB
MD5

befae85cc0f064c1f2127cadc1cacf20
SHA1

0dba1d6eb976cc6669133cee81aed0bb0269b6e6
SHA256

597abfd64e5cec3bf8650a632332bdd345027c4666f41a89290e62987d4df3b1
SHA512

5ee93408592d0cf766b02e0ebbd95a19ec96f5a13ab6a496f4aa823edcbcf4a20b573458c0d3de1b9bbe5309b2ccae85ed4b16ef6ebe24aca3a7a8681796e927
SSDEEP

768:Q8JqCbJQmkDx2Q8EyAC8DpqcjnxHJ+Vy3BYlZY:cC1kDpq+nH+g36Y

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1888-10-0x0000000020000000-0x0000000020010000-memory.dmp	modiloader_stage2

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\ACTIVE SETUP\INSTALLED COMPONENTS\swLÙ‡òuMƒ—?+ÔrGÕæO3@\|zÒ[>F&?„vo‘ÀxÆæ‹kXFV$4<ÍÁÆP‚nÉ ú)žßeÞ/I2õ‘5´Z”>´’ù’á ËŠàÂê0˜_+=È… Ñ°	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\ACTIVE SETUP\INSTALLED COMPONENTS\swLÙ‡òuMƒ—?+ÔrGÕæO3@\|zÒ[>F&?„vo‘ÀxÆæ‹kXFV$4<ÍÁÆP‚nÉ ú)žßeÞ/I2õ‘5´Z”>´’ù’á ËŠàÂê0˜_+=È… Ñ°\StubPath = "C:\\Windows\\\x17‘5\x03´Z”>\x16´’\x1bù’á\tËŠàÂê0˜_+=È… \x06\x03Ñ° 2"	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ËŠàÂê0˜_+=È… Ñ° = "C:\\Windows\\\x17‘5\x03´Z”>\x16´’\x1bù’á\tËŠàÂê0˜_+=È… \x06\x03Ñ°"	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCE\*ËŠàÂê0˜_+=È… Ñ° = "C:\\Windows\\\x17‘5\x03´Z”>\x16´’\x1bù’á\tËŠàÂê0˜_+=È… \x06\x03Ñ°"	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RUNONCE\*ËŠàÂê0˜_+=È… Ñ° = "C:\\Windows\\\x17‘5\x03´Z”>\x16´’\x1bù’á\tËŠàÂê0˜_+=È… \x06\x03Ñ°"	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\ËŠàÂê0˜_+=È… Ñ° = "C:\\Windows\\\x17‘5\x03´Z”>\x16´’\x1bù’á\tËŠàÂê0˜_+=È… \x06\x03Ñ°"	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe

description	pid	process	target process
PID 1888 set thread context of 2988	1888	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe

Drops file in Windows directory 1 IoCs

Processes:

befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\‘5´Z”>´’ù’á ËŠàÂê0˜_+=È… Ñ°	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe

pid process

2988 befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2988 befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe

pid	process
2988	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	2988	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exebefae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe

description	pid	process	target process
PID 1888 wrote to memory of 2988	1888	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe
PID 1888 wrote to memory of 2988	1888	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe
PID 1888 wrote to memory of 2988	1888	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe
PID 1888 wrote to memory of 2988	1888	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe
PID 1888 wrote to memory of 2988	1888	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe
PID 1888 wrote to memory of 2988	1888	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe
PID 2988 wrote to memory of 1184	2988	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe	Explorer.EXE
PID 2988 wrote to memory of 1184	2988	befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1888

C:\Users\Admin\AppData\Local\Temp\befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe
3⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1888-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1888-10-0x0000000020000000-0x0000000020010000-memory.dmp

Filesize
64KB

Download
memory/2988-15-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2988-12-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2988-9-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2988-6-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2988-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads