modiloader | 76e5a6b02470e39af23bd3408040422f43a4676f7ec12d3d2d4f6368daccd95d

General

Target

b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe
Size

90KB
MD5

b3ff9194527249198547eca90b31aac0
SHA1

3e0a5081b2c9fab65c5ce43d8b6442dc6cab0961
SHA256

76e5a6b02470e39af23bd3408040422f43a4676f7ec12d3d2d4f6368daccd95d
SHA512

7562ab7c3cdaaa521dc5b7c7c79c1f8aed67655649c51fbd24d16364b39253f06b5d10ccf7801ffa3c794eb48bc0643aa212ad0cfd841f161fec18763c06d9fd
SSDEEP

1536:UiYwjQt6QJvzZsgDIWzm/xsXfv+hYhyQQyV5uv4JBrB7w5VRGulTG1ZCL8nj1oDK:0wjZQJvzZsgsW6/Afv+hYfQIm4/rdE3Y

Score

10^/10

modiloader persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4292-52-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/4292-55-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/4292-51-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe

Executes dropped EXE 3 IoCs

Processes:

csrsll.execsrsll.execsrsll.exe

pid process

2496 csrsll.exe
4244 csrsll.exe
4292 csrsll.exe

pid	process
2496	csrsll.exe
4244	csrsll.exe
4292	csrsll.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/212-0-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1580-3-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1580-9-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/212-12-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1580-11-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe	upx
behavioral2/memory/2496-36-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2496-41-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4292-49-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4292-44-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4292-52-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/2496-54-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4292-55-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/1580-58-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4292-51-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4244-59-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win Pdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrsll.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

b3ff9194527249198547eca90b31aac0_NeikiAnalytics.execsrsll.exe

description	pid	process	target process
PID 212 set thread context of 1580	212	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe
PID 2496 set thread context of 4244	2496	csrsll.exe	csrsll.exe
PID 2496 set thread context of 4292	2496	csrsll.exe	csrsll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

csrsll.exe

description	pid	process
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe
Token: SeDebugPrivilege	4244	csrsll.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exeb3ff9194527249198547eca90b31aac0_NeikiAnalytics.execsrsll.execsrsll.exe

pid process

212 b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe
1580 b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe
2496 csrsll.exe
4244 csrsll.exe

pid	process
212	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe
1580	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe
2496	csrsll.exe
4244	csrsll.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exeb3ff9194527249198547eca90b31aac0_NeikiAnalytics.execmd.execsrsll.exe

description	pid	process	target process
PID 212 wrote to memory of 1580	212	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe
PID 212 wrote to memory of 1580	212	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe
PID 212 wrote to memory of 1580	212	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe
PID 212 wrote to memory of 1580	212	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe
PID 212 wrote to memory of 1580	212	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe
PID 212 wrote to memory of 1580	212	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe
PID 212 wrote to memory of 1580	212	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe
PID 212 wrote to memory of 1580	212	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe
PID 1580 wrote to memory of 2540	1580	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe	cmd.exe
PID 1580 wrote to memory of 2540	1580	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe	cmd.exe
PID 1580 wrote to memory of 2540	1580	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe	cmd.exe
PID 2540 wrote to memory of 4224	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 4224	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 4224	2540	cmd.exe	reg.exe
PID 1580 wrote to memory of 2496	1580	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe	csrsll.exe
PID 1580 wrote to memory of 2496	1580	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe	csrsll.exe
PID 1580 wrote to memory of 2496	1580	b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe	csrsll.exe
PID 2496 wrote to memory of 4244	2496	csrsll.exe	csrsll.exe
PID 2496 wrote to memory of 4244	2496	csrsll.exe	csrsll.exe
PID 2496 wrote to memory of 4244	2496	csrsll.exe	csrsll.exe
PID 2496 wrote to memory of 4244	2496	csrsll.exe	csrsll.exe
PID 2496 wrote to memory of 4244	2496	csrsll.exe	csrsll.exe
PID 2496 wrote to memory of 4244	2496	csrsll.exe	csrsll.exe
PID 2496 wrote to memory of 4244	2496	csrsll.exe	csrsll.exe
PID 2496 wrote to memory of 4244	2496	csrsll.exe	csrsll.exe
PID 2496 wrote to memory of 4292	2496	csrsll.exe	csrsll.exe
PID 2496 wrote to memory of 4292	2496	csrsll.exe	csrsll.exe
PID 2496 wrote to memory of 4292	2496	csrsll.exe	csrsll.exe
PID 2496 wrote to memory of 4292	2496	csrsll.exe	csrsll.exe
PID 2496 wrote to memory of 4292	2496	csrsll.exe	csrsll.exe
PID 2496 wrote to memory of 4292	2496	csrsll.exe	csrsll.exe
PID 2496 wrote to memory of 4292	2496	csrsll.exe	csrsll.exe
PID 2496 wrote to memory of 4292	2496	csrsll.exe	csrsll.exe

C:\Users\Admin\AppData\Local\Temp\b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:212

C:\Users\Admin\AppData\Local\Temp\b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b3ff9194527249198547eca90b31aac0_NeikiAnalytics.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IHUBL.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f
4⤵
- Adds Run key to start application
PID:4224

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2496

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4244

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
4⤵
- Executes dropped EXE
PID:4292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4308,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:8
1⤵
PID:1216

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IHUBL.txt
Filesize
145B

MD5
4eb61ec7816c34ec8c125acadc57ec1b

SHA1
b0015cc865c0bb1a027be663027d3829401a31cc

SHA256
08375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff

SHA512
f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
Filesize
90KB

MD5
4dc4548e415c0b498591da836013aecc

SHA1
6d75e4449334e05b1c7534dc817b674dea68b3aa

SHA256
516b0aff873a331e3770f6ada835b28802b5f498617745b4defb61695f133619

SHA512
77636c71d6530feef89de521d24830b5eaeb3aa49fe0a1b5ae1cbec99651b07c9ef4616854d974da25a59743698d7cbff0281efa19764dbcc289044af3140fcd

Download Submit
memory/212-12-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/212-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/212-6-0x00000000021E0000-0x00000000021E2000-memory.dmp

Filesize
8KB

Download
memory/212-5-0x00000000021D0000-0x00000000021D2000-memory.dmp

Filesize
8KB

Download
memory/212-4-0x00000000021C0000-0x00000000021C2000-memory.dmp

Filesize
8KB

Download
memory/212-7-0x00000000021F0000-0x00000000021F2000-memory.dmp

Filesize
8KB

Download
memory/1580-58-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1580-9-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1580-11-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1580-3-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2496-36-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2496-54-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2496-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4244-59-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4292-49-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4292-44-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4292-52-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4292-55-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4292-51-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads