Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 22:48
Behavioral task
behavioral1
Sample
18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe
-
Size
90KB
-
MD5
ff6b6e18436baa89fea5ec3108c8fa90
-
SHA1
e994d2db5b75e837a358052608b1dd501ce94262
-
SHA256
18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116
-
SHA512
ee44bafbe5df81f4e8ab3d9e2158adfeff467443c682430d55169e2540298bc981949d2887e741f3e51c2610317cd61181ee65b3e4894b26c3bbda775740630e
-
SSDEEP
1536:UiYwjQt6QJvzZsgDIWzm/xsXfv+hYhyQQyV5uv4JBrB7w5VRGulTG1ZCL8nj1oDK:0wjZQJvzZsgsW6/Afv+hYfQIm4/rdE3Y
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4636-50-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/4636-51-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/4636-54-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe -
Executes dropped EXE 3 IoCs
Processes:
csrsll.execsrsll.execsrsll.exepid process 4432 csrsll.exe 2088 csrsll.exe 4636 csrsll.exe -
Processes:
resource yara_rule behavioral2/memory/652-0-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/2860-3-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2860-7-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/652-10-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/2860-9-0x0000000000400000-0x000000000040B000-memory.dmp upx C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe upx behavioral2/memory/4432-34-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/4432-39-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/4636-45-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/4636-48-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/4636-50-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/4636-51-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/4432-53-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/4636-54-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/2860-56-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2088-57-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win Pdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrsll.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.execsrsll.exedescription pid process target process PID 652 set thread context of 2860 652 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe PID 4432 set thread context of 2088 4432 csrsll.exe csrsll.exe PID 4432 set thread context of 4636 4432 csrsll.exe csrsll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
csrsll.exedescription pid process Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe Token: SeDebugPrivilege 2088 csrsll.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.execsrsll.execsrsll.exepid process 652 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe 2860 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe 4432 csrsll.exe 2088 csrsll.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.execmd.execsrsll.exedescription pid process target process PID 652 wrote to memory of 2860 652 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe PID 652 wrote to memory of 2860 652 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe PID 652 wrote to memory of 2860 652 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe PID 652 wrote to memory of 2860 652 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe PID 652 wrote to memory of 2860 652 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe PID 652 wrote to memory of 2860 652 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe PID 652 wrote to memory of 2860 652 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe PID 652 wrote to memory of 2860 652 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe PID 2860 wrote to memory of 3276 2860 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe cmd.exe PID 2860 wrote to memory of 3276 2860 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe cmd.exe PID 2860 wrote to memory of 3276 2860 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe cmd.exe PID 3276 wrote to memory of 740 3276 cmd.exe reg.exe PID 3276 wrote to memory of 740 3276 cmd.exe reg.exe PID 3276 wrote to memory of 740 3276 cmd.exe reg.exe PID 2860 wrote to memory of 4432 2860 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe csrsll.exe PID 2860 wrote to memory of 4432 2860 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe csrsll.exe PID 2860 wrote to memory of 4432 2860 18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe csrsll.exe PID 4432 wrote to memory of 2088 4432 csrsll.exe csrsll.exe PID 4432 wrote to memory of 2088 4432 csrsll.exe csrsll.exe PID 4432 wrote to memory of 2088 4432 csrsll.exe csrsll.exe PID 4432 wrote to memory of 2088 4432 csrsll.exe csrsll.exe PID 4432 wrote to memory of 2088 4432 csrsll.exe csrsll.exe PID 4432 wrote to memory of 2088 4432 csrsll.exe csrsll.exe PID 4432 wrote to memory of 2088 4432 csrsll.exe csrsll.exe PID 4432 wrote to memory of 2088 4432 csrsll.exe csrsll.exe PID 4432 wrote to memory of 4636 4432 csrsll.exe csrsll.exe PID 4432 wrote to memory of 4636 4432 csrsll.exe csrsll.exe PID 4432 wrote to memory of 4636 4432 csrsll.exe csrsll.exe PID 4432 wrote to memory of 4636 4432 csrsll.exe csrsll.exe PID 4432 wrote to memory of 4636 4432 csrsll.exe csrsll.exe PID 4432 wrote to memory of 4636 4432 csrsll.exe csrsll.exe PID 4432 wrote to memory of 4636 4432 csrsll.exe csrsll.exe PID 4432 wrote to memory of 4636 4432 csrsll.exe csrsll.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Users\Admin\AppData\Local\Temp\18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\18dd64b45b5c61964b14a52ff8859ddbd6941ccd386d0629779a7bf6ee287116_NeikiAnalytics.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LDXBY.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f4⤵
- Adds Run key to start application
PID:740 -
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2088 -
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"4⤵
- Executes dropped EXE
PID:4636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145B
MD54eb61ec7816c34ec8c125acadc57ec1b
SHA1b0015cc865c0bb1a027be663027d3829401a31cc
SHA25608375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff
SHA512f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1
-
Filesize
90KB
MD52e54288db38683831904f41d97c899a7
SHA14cc511b6228d994da51d213f36f46a76263e8bd5
SHA256d53855058c55ec91cb3e40564d805a3199e507f81ac0a7912fb7a087e4c045aa
SHA51220146130681b8c48b8c1be1bac122597c9a94896bc6f8d4c2a63fc07d8e32d0f5a2e94d859cdfe8fed86ba790432f337bfe33268f808d37fe777fc291cfddce5