modiloader | 2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59

General

Target

2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe
Size

112KB
MD5

0ca7aa0612159edcb3f9f8aa0a06a560
SHA1

e0c5f769388794a221b0b4f49ff0910fcd1ec2c9
SHA256

2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59
SHA512

b54ee87bdeb8ecd9f38ca5cfe50d7c28777a39daef4dc8f4b5ba49a80490d7cbf59629b900e696b1f8271d77db81682a7b205b189bab7d81c06886d3dd2dc44d
SSDEEP

1536:t2ovIa47CqIf2f3w41p7sDcX7juR/JSJw8EeNshUDGXJ:tVIr7zI+fAceoGxSKKo5

Score

10^/10

modiloader trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1588-284-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1216-123-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1216-129-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1588-284-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1216-287-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2288-277-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2288-299-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe

description	pid	process	target process
PID 108 set thread context of 2888	108	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe	svchost.exe
PID 108 set thread context of 1216	108	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exesvchost.exe2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe

pid	process
108	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe
2888	svchost.exe
1216	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe

description	pid	process	target process
PID 108 wrote to memory of 2888	108	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe	svchost.exe
PID 108 wrote to memory of 2888	108	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe	svchost.exe
PID 108 wrote to memory of 2888	108	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe	svchost.exe
PID 108 wrote to memory of 2888	108	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe	svchost.exe
PID 108 wrote to memory of 2888	108	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe	svchost.exe
PID 108 wrote to memory of 2888	108	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe	svchost.exe
PID 108 wrote to memory of 2888	108	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe	svchost.exe
PID 108 wrote to memory of 2888	108	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe	svchost.exe
PID 108 wrote to memory of 2888	108	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe	svchost.exe
PID 108 wrote to memory of 2888	108	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe	svchost.exe
PID 108 wrote to memory of 1216	108	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe
PID 108 wrote to memory of 1216	108	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe
PID 108 wrote to memory of 1216	108	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe
PID 108 wrote to memory of 1216	108	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe
PID 108 wrote to memory of 1216	108	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe
PID 108 wrote to memory of 1216	108	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe
PID 108 wrote to memory of 1216	108	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe
PID 108 wrote to memory of 1216	108	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe	2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:108

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2888

C:\Users\Admin\AppData\Local\Temp\2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2986a47ecfbf3b8307675ec1f6ddfcef3880127e961b698fd3d990984c333a59_NeikiAnalytics.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1216

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SSGHC.bat" "
3⤵
PID:1780

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows WA" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe" /f
4⤵
PID:1556

C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"
3⤵
PID:2640

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
4⤵
PID:2444

C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"
4⤵
PID:2288

C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"
4⤵
PID:1588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SSGHC.bat
Filesize
148B

MD5
3a4614705555abb049c3298e61170b7f

SHA1
c8686410756f346d9551256a5b878b04770950ba

SHA256
cff0663c8cfadf83b80583a871c313ffc5d950cb503809cb4a482f400c5d846b

SHA512
65ce6fec00e6934f21635e7ccd74757f31ed4b0ddb52bd80d3ea9abeba56340128d23151ef7d9f5daacb5d61e4a4cca50dbb3a43132e350522311ee06e829007

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe
Filesize
112KB

MD5
4e27d48972e9a9b2597cf27c27ffb41c

SHA1
bcbf24d48ae871bdf36cf46ddb6feab6ecc3fa0c

SHA256
5ea52f8fc42d2cf03fc303a0aa9817489f50f860346eaa6b895cbac7ae0bea7c

SHA512
5700a2f65fedbb27dfd8a95e93594eaad80d0b963033b731f6a30f15514e9152992c0376678e5d173275fdf495fc83c0a4e69f11c42a477ff8c89b078f42839a

Download Submit
memory/108-32-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/108-14-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/108-20-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/108-28-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/108-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/108-38-0x00000000024E0000-0x00000000024E2000-memory.dmp

Filesize
8KB

Download
memory/108-63-0x0000000002510000-0x0000000002512000-memory.dmp

Filesize
8KB

Download
memory/108-62-0x0000000002500000-0x0000000002502000-memory.dmp

Filesize
8KB

Download
memory/108-80-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/108-88-0x0000000002570000-0x0000000002572000-memory.dmp

Filesize
8KB

Download
memory/108-8-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/108-4-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1216-129-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1216-123-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1216-287-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1588-284-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2288-299-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2288-277-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2888-101-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2888-93-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2888-91-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2888-89-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2888-124-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2888-95-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2888-99-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2888-296-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2888-97-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads