Overview

overview

10

Static

static

7

5e3039f9dc...cs.exe

windows7-x64

10

5e3039f9dc...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 00:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5e3039f9dce50e58bd98fc0282edb410_NeikiAnalytics.exe

  • Size

    90KB

  • MD5

    5e3039f9dce50e58bd98fc0282edb410

  • SHA1

    ab994179e5e8dc49cf0aee94989ab91e0032ec81

  • SHA256

    85f06a091c622b548e69003065e4d922d3c2ad5e07b31df28d634272b68afb1c

  • SHA512

    20da6c1dd9fa64ee5d91b05162747e57ae5548a72b9ca302b3516389ecd2d31bc70d7221a86fd58cb54b484d23d8d8eca8703d588a0d4a109d4af6a7431a5ff4

  • SSDEEP

    1536:UiYwjQt6QJvzZsgDIWzm/xsXfv+hYhyQQyV5uv4JBrB7w5VRGulTG1ZCL8nj1oDf:0wjZQJvzZsgsW6/Afv+hYfQIm4/rdE3Y

Score
10/10
modiloaderpersistencetrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 22 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e3039f9dce50e58bd98fc0282edb410_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\5e3039f9dce50e58bd98fc0282edb410_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Users\Admin\AppData\Local\Temp\5e3039f9dce50e58bd98fc0282edb410_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\5e3039f9dce50e58bd98fc0282edb410_NeikiAnalytics.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PGFQN.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2840
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f
          4⤵
          • Adds Run key to start application
          PID:1944
      • C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:944
        • C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:868
        • C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
          4⤵
          • Executes dropped EXE
          PID:1028

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\PGFQN.bat
    Filesize

    145B

    MD5

    4eb61ec7816c34ec8c125acadc57ec1b

    SHA1

    b0015cc865c0bb1a027be663027d3829401a31cc

    SHA256

    08375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff

    SHA512

    f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1

    Download Submit
  • \Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
    Filesize

    90KB

    MD5

    f981f0f8ab3fb3c6c5a6fbceeec63a65

    SHA1

    8c1d8bdc4426044f02b212aa1dcff64cd40bc610

    SHA256

    c560df44a20c380803a11b0349be59b6aeedad478df31feebaa6e7d97b64264b

    SHA512

    1293028e11a084abf7675eddb87a6d354dfbb1f918647a4b10b2c834fc09dd30127b19824acfd2e50edec25dbf45bdeb912002ba874c994c8c3d62b6a118d4a0

    Download Submit
  • memory/868-261-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/944-253-0x0000000000400000-0x0000000000453000-memory.dmp
    Filesize

    332KB

    Download
  • memory/944-175-0x0000000000400000-0x0000000000453000-memory.dmp
    Filesize

    332KB

    Download
  • memory/944-178-0x00000000002F0000-0x00000000002F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/944-212-0x0000000000400000-0x0000000000453000-memory.dmp
    Filesize

    332KB

    Download
  • memory/944-166-0x00000000002D0000-0x00000000002D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/944-156-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/944-150-0x0000000000400000-0x0000000000453000-memory.dmp
    Filesize

    332KB

    Download
  • memory/1028-262-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1028-250-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/2292-80-0x00000000003A0000-0x00000000003A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2292-70-0x0000000000380000-0x0000000000381000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2292-92-0x0000000001DC0000-0x0000000001E13000-memory.dmp
    Filesize

    332KB

    Download
  • memory/2292-3-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2292-25-0x0000000000400000-0x0000000000453000-memory.dmp
    Filesize

    332KB

    Download
  • memory/2292-40-0x0000000000290000-0x0000000000291000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2292-60-0x00000000002E0000-0x00000000002E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2292-28-0x0000000000270000-0x0000000000271000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2292-15-0x0000000000250000-0x0000000000251000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2292-103-0x0000000000400000-0x0000000000453000-memory.dmp
    Filesize

    332KB

    Download
  • memory/2292-5-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2292-91-0x0000000000400000-0x0000000000453000-memory.dmp
    Filesize

    332KB

    Download
  • memory/2292-82-0x0000000000400000-0x0000000000453000-memory.dmp
    Filesize

    332KB

    Download
  • memory/2292-78-0x0000000000404000-0x0000000000405000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2292-79-0x0000000000400000-0x0000000000453000-memory.dmp
    Filesize

    332KB

    Download
  • memory/2292-0-0x0000000000400000-0x0000000000453000-memory.dmp
    Filesize

    332KB

    Download
  • memory/2620-148-0x00000000026F0000-0x0000000002743000-memory.dmp
    Filesize

    332KB

    Download
  • memory/2620-153-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2620-147-0x00000000026F0000-0x0000000002743000-memory.dmp
    Filesize

    332KB

    Download
  • memory/2620-93-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2620-95-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2620-99-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2620-107-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2620-108-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2620-106-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2620-256-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2620-101-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2620-97-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download