modiloader | 88b18c3bf877c19bc019cde65afd99c097a6e32627c354113de4e010cc0e8f9c

General

Target

7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe
Size

326KB
MD5

7ef87be7961d7b746aca1d6aa2a74290
SHA1

726e0f7a8d7f6584b7f7d210f331ab4bab679250
SHA256

88b18c3bf877c19bc019cde65afd99c097a6e32627c354113de4e010cc0e8f9c
SHA512

fcf0574f623f6ddc22765a15fa536299494cbbce010e82f4a7e90e18fda4bfd35751fe9a0f5231ca7477894273dd669c56cacbdbcfdf16629052196fa44c8bb2
SSDEEP

3072:ce2A0wxDqUpM5scww4chO+O1BmP5DG0sg3i4XZ9WvDZHwdRX/L+gP38XV:csxD5cwohO+O1sVG0/pZ6iPC8

Score

10^/10

modiloader persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/788-247-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/788-260-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

Processes:

csrsll.execsrsll.execsrsll.exe

pid process

800 csrsll.exe
636 csrsll.exe
788 csrsll.exe

pid	process
800	csrsll.exe
636	csrsll.exe
788	csrsll.exe

Loads dropped DLL 5 IoCs

Processes:

7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe

pid	process
2580	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe
2580	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe
2580	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe
2580	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe
2580	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2916-0-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2916-79-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2916-88-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2916-93-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2580-102-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2580-98-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2580-105-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2580-96-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2916-83-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2916-82-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2916-71-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2580-106-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2916-109-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2580-108-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2580-107-0x0000000000400000-0x000000000040B000-memory.dmp	upx
\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe	upx
behavioral1/memory/800-151-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2580-149-0x0000000003470000-0x00000000034C4000-memory.dmp	upx
behavioral1/memory/800-213-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/788-247-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/800-249-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2580-254-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/636-259-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/788-260-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win Pdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrsll.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.execsrsll.exe

description	pid	process	target process
PID 2916 set thread context of 2580	2916	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe
PID 800 set thread context of 636	800	csrsll.exe	csrsll.exe
PID 800 set thread context of 788	800	csrsll.exe	csrsll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

csrsll.exe

description	pid	process
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe
Token: SeDebugPrivilege	636	csrsll.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.execsrsll.execsrsll.exe

pid process

2916 7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe
2580 7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe
800 csrsll.exe
636 csrsll.exe

pid	process
2916	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe
2580	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe
800	csrsll.exe
636	csrsll.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.execmd.execsrsll.exe

description	pid	process	target process
PID 2916 wrote to memory of 2580	2916	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe
PID 2916 wrote to memory of 2580	2916	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe
PID 2916 wrote to memory of 2580	2916	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe
PID 2916 wrote to memory of 2580	2916	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe
PID 2916 wrote to memory of 2580	2916	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe
PID 2916 wrote to memory of 2580	2916	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe
PID 2916 wrote to memory of 2580	2916	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe
PID 2916 wrote to memory of 2580	2916	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe
PID 2580 wrote to memory of 948	2580	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe	cmd.exe
PID 2580 wrote to memory of 948	2580	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe	cmd.exe
PID 2580 wrote to memory of 948	2580	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe	cmd.exe
PID 2580 wrote to memory of 948	2580	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe	cmd.exe
PID 948 wrote to memory of 2812	948	cmd.exe	reg.exe
PID 948 wrote to memory of 2812	948	cmd.exe	reg.exe
PID 948 wrote to memory of 2812	948	cmd.exe	reg.exe
PID 948 wrote to memory of 2812	948	cmd.exe	reg.exe
PID 2580 wrote to memory of 800	2580	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe	csrsll.exe
PID 2580 wrote to memory of 800	2580	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe	csrsll.exe
PID 2580 wrote to memory of 800	2580	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe	csrsll.exe
PID 2580 wrote to memory of 800	2580	7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe	csrsll.exe
PID 800 wrote to memory of 636	800	csrsll.exe	csrsll.exe
PID 800 wrote to memory of 636	800	csrsll.exe	csrsll.exe
PID 800 wrote to memory of 636	800	csrsll.exe	csrsll.exe
PID 800 wrote to memory of 636	800	csrsll.exe	csrsll.exe
PID 800 wrote to memory of 636	800	csrsll.exe	csrsll.exe
PID 800 wrote to memory of 636	800	csrsll.exe	csrsll.exe
PID 800 wrote to memory of 636	800	csrsll.exe	csrsll.exe
PID 800 wrote to memory of 636	800	csrsll.exe	csrsll.exe
PID 800 wrote to memory of 788	800	csrsll.exe	csrsll.exe
PID 800 wrote to memory of 788	800	csrsll.exe	csrsll.exe
PID 800 wrote to memory of 788	800	csrsll.exe	csrsll.exe
PID 800 wrote to memory of 788	800	csrsll.exe	csrsll.exe
PID 800 wrote to memory of 788	800	csrsll.exe	csrsll.exe
PID 800 wrote to memory of 788	800	csrsll.exe	csrsll.exe
PID 800 wrote to memory of 788	800	csrsll.exe	csrsll.exe
PID 800 wrote to memory of 788	800	csrsll.exe	csrsll.exe

C:\Users\Admin\AppData\Local\Temp\7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916

C:\Users\Admin\AppData\Local\Temp\7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7ef87be7961d7b746aca1d6aa2a74290_NeikiAnalytics.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HDYCP.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f
4⤵
- Adds Run key to start application
PID:2812

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:800

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:636

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
4⤵
- Executes dropped EXE
PID:788

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HDYCP.bat
Filesize
145B

MD5
4eb61ec7816c34ec8c125acadc57ec1b

SHA1
b0015cc865c0bb1a027be663027d3829401a31cc

SHA256
08375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff

SHA512
f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
Filesize
326KB

MD5
764640fa2e14fc9806f254ec651950bc

SHA1
e87eb26b611ff98f12978d1b7d38ae2c12eb6628

SHA256
021047b76d4a2abbe62180db306798e6cc25a668bb21e171cc1e9a86feabb2d4

SHA512
04385ea749984fad6ac67dfeed59b1b0f78049be480239a7235413bbcb28d28564db8e434a9e473b7a0087a8d5a640ae698eefcedea20e7e793358138fefbecd

Download Submit
memory/636-259-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/788-260-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/788-247-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/800-151-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/800-249-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/800-213-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/800-185-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/800-177-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/800-166-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/800-156-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2580-100-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2580-98-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2580-105-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2580-149-0x0000000003470000-0x00000000034C4000-memory.dmp

Filesize
336KB

Download
memory/2580-96-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2580-94-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2580-150-0x0000000003470000-0x00000000034C4000-memory.dmp

Filesize
336KB

Download
memory/2580-108-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2580-102-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2580-254-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2580-107-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2580-106-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2916-93-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2916-109-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2916-70-0x0000000001C40000-0x0000000001C41000-memory.dmp

Filesize
4KB

Download
memory/2916-71-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2916-80-0x0000000001CA0000-0x0000000001CA2000-memory.dmp

Filesize
8KB

Download
memory/2916-82-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2916-83-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2916-104-0x0000000002770000-0x00000000027C4000-memory.dmp

Filesize
336KB

Download
memory/2916-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2916-88-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2916-79-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2916-43-0x0000000000404000-0x0000000000405000-memory.dmp

Filesize
4KB

Download
memory/2916-60-0x0000000001C20000-0x0000000001C21000-memory.dmp

Filesize
4KB

Download
memory/2916-39-0x0000000001BA0000-0x0000000001BA1000-memory.dmp

Filesize
4KB

Download
memory/2916-27-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2916-15-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2916-5-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2916-3-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads