modiloader | 21fe042cd2fd349edaa03e336f0ce9eaae9ba4e66823f4065dc94ad5e3127e88

General

Target

8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe
Size

308KB
MD5

8ababd15827227492bd83e9e18f13840
SHA1

5a41dc28870ea063ce02b8c8444afe686e893fd2
SHA256

21fe042cd2fd349edaa03e336f0ce9eaae9ba4e66823f4065dc94ad5e3127e88
SHA512

f2be67808648e28384065769b9fd777e5fc6d18c90755950bfefbf78bbbb2185523da24022da3f836fb5554df456485cc32c224814a8c95073804eb3ac9a608a
SSDEEP

3072:/c3sBG7mXh7m/zZM3jAbNOM6CNtDCZFL:E3sBz0Z4Mj72F

Score

10^/10

modiloader persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/96656-147849-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

Processes:

csrsll.execsrsll.execsrsll.exe

pid process

87664 csrsll.exe
96560 csrsll.exe
96656 csrsll.exe

pid	process
87664	csrsll.exe
96560	csrsll.exe
96656	csrsll.exe

Loads dropped DLL 5 IoCs

Processes:

8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe

pid	process
87088	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe
87088	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe
87088	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe
87088	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe
87088	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/87088-73918-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/87088-73920-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/87088-73923-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/87088-73924-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/87088-73925-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/87088-136330-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/96656-147837-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/87088-147840-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/96560-147848-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/96656-147849-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win Pdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrsll.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

8ababd15827227492bd83e9e18f13840_NeikiAnalytics.execsrsll.exe

description	pid	process	target process
PID 1804 set thread context of 87088	1804	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe
PID 87664 set thread context of 96560	87664	csrsll.exe	csrsll.exe
PID 87664 set thread context of 96656	87664	csrsll.exe	csrsll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

csrsll.exe

description	pid	process
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe
Token: SeDebugPrivilege	96560	csrsll.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe8ababd15827227492bd83e9e18f13840_NeikiAnalytics.execsrsll.execsrsll.exe

pid	process
1804	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe
87088	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe
87664	csrsll.exe
96560	csrsll.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe8ababd15827227492bd83e9e18f13840_NeikiAnalytics.execmd.execsrsll.exe

description	pid	process	target process
PID 1804 wrote to memory of 87088	1804	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe
PID 1804 wrote to memory of 87088	1804	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe
PID 1804 wrote to memory of 87088	1804	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe
PID 1804 wrote to memory of 87088	1804	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe
PID 1804 wrote to memory of 87088	1804	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe
PID 1804 wrote to memory of 87088	1804	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe
PID 1804 wrote to memory of 87088	1804	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe
PID 1804 wrote to memory of 87088	1804	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe
PID 87088 wrote to memory of 87440	87088	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe	cmd.exe
PID 87088 wrote to memory of 87440	87088	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe	cmd.exe
PID 87088 wrote to memory of 87440	87088	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe	cmd.exe
PID 87088 wrote to memory of 87440	87088	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe	cmd.exe
PID 87440 wrote to memory of 87592	87440	cmd.exe	reg.exe
PID 87440 wrote to memory of 87592	87440	cmd.exe	reg.exe
PID 87440 wrote to memory of 87592	87440	cmd.exe	reg.exe
PID 87440 wrote to memory of 87592	87440	cmd.exe	reg.exe
PID 87088 wrote to memory of 87664	87088	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe	csrsll.exe
PID 87088 wrote to memory of 87664	87088	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe	csrsll.exe
PID 87088 wrote to memory of 87664	87088	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe	csrsll.exe
PID 87088 wrote to memory of 87664	87088	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe	csrsll.exe
PID 87664 wrote to memory of 96560	87664	csrsll.exe	csrsll.exe
PID 87664 wrote to memory of 96560	87664	csrsll.exe	csrsll.exe
PID 87664 wrote to memory of 96560	87664	csrsll.exe	csrsll.exe
PID 87664 wrote to memory of 96560	87664	csrsll.exe	csrsll.exe
PID 87664 wrote to memory of 96560	87664	csrsll.exe	csrsll.exe
PID 87664 wrote to memory of 96560	87664	csrsll.exe	csrsll.exe
PID 87664 wrote to memory of 96560	87664	csrsll.exe	csrsll.exe
PID 87664 wrote to memory of 96560	87664	csrsll.exe	csrsll.exe
PID 87664 wrote to memory of 96656	87664	csrsll.exe	csrsll.exe
PID 87664 wrote to memory of 96656	87664	csrsll.exe	csrsll.exe
PID 87664 wrote to memory of 96656	87664	csrsll.exe	csrsll.exe
PID 87664 wrote to memory of 96656	87664	csrsll.exe	csrsll.exe
PID 87664 wrote to memory of 96656	87664	csrsll.exe	csrsll.exe
PID 87664 wrote to memory of 96656	87664	csrsll.exe	csrsll.exe
PID 87664 wrote to memory of 96656	87664	csrsll.exe	csrsll.exe
PID 87664 wrote to memory of 96656	87664	csrsll.exe	csrsll.exe

C:\Users\Admin\AppData\Local\Temp\8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1804

C:\Users\Admin\AppData\Local\Temp\8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:87088

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WAXLX.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:87440

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f
4⤵
- Adds Run key to start application
PID:87592

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:87664

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:96560

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
4⤵
- Executes dropped EXE
PID:96656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WAXLX.bat
Filesize
145B

MD5
4eb61ec7816c34ec8c125acadc57ec1b

SHA1
b0015cc865c0bb1a027be663027d3829401a31cc

SHA256
08375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff

SHA512
f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
Filesize
308KB

MD5
13752bc35df74d2144ed0f3c6d1efd3f

SHA1
a1977b5bd02e62cd2dae60e5472b7962271bf2d2

SHA256
8342b1ee5349cef0912ca72ddf00f4c14ea70176457762fe7e8220e0c2914b04

SHA512
640d5eaf4d185eb520583a68525d0edb11e2328e25b950676f8696cfb5f5c274f160b4b779a457c09a7a003522c408d47223972efceff3303f89cb10233af877

Download Submit
memory/1804-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1804-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/87088-73925-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/87088-73922-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/87088-73923-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/87088-73924-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/87088-73920-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/87088-73918-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/87088-73916-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/87088-136330-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/87088-147840-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/87664-73965-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/96560-147848-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/96656-147837-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/96656-147849-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads