Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

0ef3245ce5...12.exe

windows7-x64

10

0ef3245ce5...12.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 06:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe

  • Size

    432KB

  • MD5

    925d3742d51d76734a7241adfe3ff059

  • SHA1

    6c0eb873024fcfdf0863afa9de6c27c95b276712

  • SHA256

    0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412

  • SHA512

    ded3bbf8317677939a8449682e4151e9253efe87b8e2320f57e0dff8ac29c8957b1e4ff3b90d48c11523bb13e9f7585f237d4546c9d008a824aafe5485cf25d4

  • SSDEEP

    6144:DBgh/58KGip9lmh0UwwDdxtPw13OyhFR8uHQaEFmgOds2RshSP1p7a1ZLcPR2GTs:DBMmKGnhDT+JlCraEFmgOFSwYA2G5rQ3

Score
10/10
modiloaderevasiontrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • ModiLoader Second Stage 3 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe
    "C:\Users\Admin\AppData\Local\Temp\0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4936
    • C:\Users\Admin\AppData\Local\Temp\0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe
      "C:\Users\Admin\AppData\Local\Temp\0ef3245ce5275be73bdd3e0f103bff30c36b65e25991ee3a502277705a1ac412.exe"
      2⤵
      • UAC bypass
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:3740
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:5108

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\cmsetac.dll
    Filesize

    33KB

    MD5

    1281d16fa3141bfe8562bf519d9148da

    SHA1

    8c19b1cf6c979b8960b451d073f83c6557c72d26

    SHA256

    c404b6e3bd67392768fcc1690767edad918bf3c0cc9f474ac93b90ef688be141

    SHA512

    d668a99327ea99519088fb8fcebda538c44819e51e7a79e3c8a20ee02c6715eda7f3636551bad1fcc92dd4a4054605776ee0feaac1b17a7c566b27d0b0100042

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cmsetac.dll
    Filesize

    33KB

    MD5

    1281d16fa3141bfe8562bf519d9148da

    SHA1

    8c19b1cf6c979b8960b451d073f83c6557c72d26

    SHA256

    c404b6e3bd67392768fcc1690767edad918bf3c0cc9f474ac93b90ef688be141

    SHA512

    d668a99327ea99519088fb8fcebda538c44819e51e7a79e3c8a20ee02c6715eda7f3636551bad1fcc92dd4a4054605776ee0feaac1b17a7c566b27d0b0100042

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ntdtcstp.dll
    Filesize

    7KB

    MD5

    67587e25a971a141628d7f07bd40ffa0

    SHA1

    76fcd014539a3bb247cc0b761225f68bd6055f6b

    SHA256

    e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

    SHA512

    6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ntdtcstp.dll
    Filesize

    7KB

    MD5

    67587e25a971a141628d7f07bd40ffa0

    SHA1

    76fcd014539a3bb247cc0b761225f68bd6055f6b

    SHA256

    e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

    SHA512

    6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

    Download Submit

  • memory/3740-139-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3740-138-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3740-136-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3740-134-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3740-144-0x0000000003860000-0x000000000386E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3740-145-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4936-132-0x0000000000400000-0x00000000004C9000-memory.dmp

    Filesize

    804KB

    Download

  • memory/4936-137-0x0000000000400000-0x00000000004C9000-memory.dmp

    Filesize

    804KB

    Download