Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2022, 23:43
Behavioral task
behavioral1
Sample
Patch/Patch.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Patch/Patch.exe
Resource
win10v2004-20220901-en
General
-
Target
Patch/Patch.exe
-
Size
132KB
-
MD5
92c47d3a0013fd2c1afe44806c7928e1
-
SHA1
fb0a3a8c611da88a1343f1deb3b7daa20527e924
-
SHA256
3d8c3c63612f5d27f8a4fca992b3a56a6af24033c390b0392e174a5cf7fe2364
-
SHA512
94332c13ce21a15500992246e0da1317c7372d075ac7d0606e1fb5f95225ea5f2cbecc50a6b7c0cc84e1c807b152d47a0517e959ca55b49beed8838f6c319155
-
SSDEEP
1536:KyADcqOQbB3fQc8Pfymg0yxpByxzRIt6HdzPesVyY6PbpMhCDmeohEt8T:HyVQtPfymg0sox9XUPbpWeURT
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 4 IoCs
resource yara_rule behavioral2/files/0x0002000000022df8-133.dat modiloader_stage2 behavioral2/files/0x0002000000022df8-134.dat modiloader_stage2 behavioral2/files/0x0003000000022e00-142.dat modiloader_stage2 behavioral2/files/0x0003000000022e00-143.dat modiloader_stage2 -
Executes dropped EXE 5 IoCs
pid Process 4412 FB_BA2D.tmp.exe 3764 FB_BD2B.tmp.exe 4880 FB_BD8A.tmp.exe 2592 AdobeUpdate.exe 620 DriverUpdate.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1956 netsh.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation FB_BD2B.tmp.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Patch.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation FB_BA2D.tmp.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\67b50313b3610dbbe66e30f19a1dbd14.exe DriverUpdate.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\67b50313b3610dbbe66e30f19a1dbd14.exe DriverUpdate.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeUpdate.exe" AdobeUpdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\67b50313b3610dbbe66e30f19a1dbd14 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\DriverUpdate.exe\" .." DriverUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\67b50313b3610dbbe66e30f19a1dbd14 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\DriverUpdate.exe\" .." DriverUpdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
pid Process 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe 620 DriverUpdate.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 620 DriverUpdate.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1536 wrote to memory of 4412 1536 Patch.exe 80 PID 1536 wrote to memory of 4412 1536 Patch.exe 80 PID 1536 wrote to memory of 4412 1536 Patch.exe 80 PID 1536 wrote to memory of 3764 1536 Patch.exe 81 PID 1536 wrote to memory of 3764 1536 Patch.exe 81 PID 1536 wrote to memory of 3764 1536 Patch.exe 81 PID 1536 wrote to memory of 4880 1536 Patch.exe 82 PID 1536 wrote to memory of 4880 1536 Patch.exe 82 PID 1536 wrote to memory of 4880 1536 Patch.exe 82 PID 4412 wrote to memory of 2592 4412 FB_BA2D.tmp.exe 83 PID 4412 wrote to memory of 2592 4412 FB_BA2D.tmp.exe 83 PID 4412 wrote to memory of 2592 4412 FB_BA2D.tmp.exe 83 PID 3764 wrote to memory of 620 3764 FB_BD2B.tmp.exe 84 PID 3764 wrote to memory of 620 3764 FB_BD2B.tmp.exe 84 PID 3764 wrote to memory of 620 3764 FB_BD2B.tmp.exe 84 PID 620 wrote to memory of 1956 620 DriverUpdate.exe 85 PID 620 wrote to memory of 1956 620 DriverUpdate.exe 85 PID 620 wrote to memory of 1956 620 DriverUpdate.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\Patch\Patch.exe"C:\Users\Admin\AppData\Local\Temp\Patch\Patch.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\FB_BA2D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_BA2D.tmp.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe"C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2592
-
-
-
C:\Users\Admin\AppData\Local\Temp\FB_BD2B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_BD2B.tmp.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Users\Admin\AppData\Local\Temp\DriverUpdate.exe"C:\Users\Admin\AppData\Local\Temp\DriverUpdate.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\DriverUpdate.exe" "DriverUpdate.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:1956
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\FB_BD8A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_BD8A.tmp.exe"2⤵
- Executes dropped EXE
PID:4880
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD52bcefd5742d3a2bf4526bbdb6a34dc62
SHA1bb090faea7150efd4284ba14268e280e7775589e
SHA2566b9951d4d3b11d3b3dec24cfa8286eaf888217e26b71e30d5688ce4632aaa3e0
SHA5124787a2770d018c3dab76db3a785928148526a804f4ab043292141c5a5e9194ef4a05ca4a5fc08af7ff8a17fa3e4b91ec685af046fb50a74c4514a92978ec4112
-
Filesize
43KB
MD52bcefd5742d3a2bf4526bbdb6a34dc62
SHA1bb090faea7150efd4284ba14268e280e7775589e
SHA2566b9951d4d3b11d3b3dec24cfa8286eaf888217e26b71e30d5688ce4632aaa3e0
SHA5124787a2770d018c3dab76db3a785928148526a804f4ab043292141c5a5e9194ef4a05ca4a5fc08af7ff8a17fa3e4b91ec685af046fb50a74c4514a92978ec4112
-
Filesize
41KB
MD5a5208c8c1d9634ea4fa769eaeb03376a
SHA19eda60b3d317fbfc9624145f12309b009b1c71f3
SHA2560a5f66a4c565d6bc8e3f8f8e19004ab3d7d957219558b75536df3f41c62c40ea
SHA51257063158cd3b3f6667672d00200d2c341613e8ef1292fa5e13e99223ab66b2229477545c3b67c3d5981cfdd02a637e8ff78d9a3a5721ca23f50045978524375d
-
Filesize
41KB
MD5a5208c8c1d9634ea4fa769eaeb03376a
SHA19eda60b3d317fbfc9624145f12309b009b1c71f3
SHA2560a5f66a4c565d6bc8e3f8f8e19004ab3d7d957219558b75536df3f41c62c40ea
SHA51257063158cd3b3f6667672d00200d2c341613e8ef1292fa5e13e99223ab66b2229477545c3b67c3d5981cfdd02a637e8ff78d9a3a5721ca23f50045978524375d
-
Filesize
43KB
MD52bcefd5742d3a2bf4526bbdb6a34dc62
SHA1bb090faea7150efd4284ba14268e280e7775589e
SHA2566b9951d4d3b11d3b3dec24cfa8286eaf888217e26b71e30d5688ce4632aaa3e0
SHA5124787a2770d018c3dab76db3a785928148526a804f4ab043292141c5a5e9194ef4a05ca4a5fc08af7ff8a17fa3e4b91ec685af046fb50a74c4514a92978ec4112
-
Filesize
43KB
MD52bcefd5742d3a2bf4526bbdb6a34dc62
SHA1bb090faea7150efd4284ba14268e280e7775589e
SHA2566b9951d4d3b11d3b3dec24cfa8286eaf888217e26b71e30d5688ce4632aaa3e0
SHA5124787a2770d018c3dab76db3a785928148526a804f4ab043292141c5a5e9194ef4a05ca4a5fc08af7ff8a17fa3e4b91ec685af046fb50a74c4514a92978ec4112
-
Filesize
22KB
MD51e38f75c9b7b6d685d2320871f58b1bc
SHA1b24da2b212fe859ac1607e5120bb4897aeb8c4fa
SHA2564610e253bee5602a8e3861e611eb16cd1a57abe59d87339c43ee66387d1fe0f4
SHA51209dabb82313bbe0eb08e62056e57776569603c625ff8d8cf4ab1fa67960d686f89f27c51e02af49eba56e3b00bedb31a45d1380bc84827cd455b94aac2eefd11
-
Filesize
22KB
MD51e38f75c9b7b6d685d2320871f58b1bc
SHA1b24da2b212fe859ac1607e5120bb4897aeb8c4fa
SHA2564610e253bee5602a8e3861e611eb16cd1a57abe59d87339c43ee66387d1fe0f4
SHA51209dabb82313bbe0eb08e62056e57776569603c625ff8d8cf4ab1fa67960d686f89f27c51e02af49eba56e3b00bedb31a45d1380bc84827cd455b94aac2eefd11
-
Filesize
41KB
MD5a5208c8c1d9634ea4fa769eaeb03376a
SHA19eda60b3d317fbfc9624145f12309b009b1c71f3
SHA2560a5f66a4c565d6bc8e3f8f8e19004ab3d7d957219558b75536df3f41c62c40ea
SHA51257063158cd3b3f6667672d00200d2c341613e8ef1292fa5e13e99223ab66b2229477545c3b67c3d5981cfdd02a637e8ff78d9a3a5721ca23f50045978524375d
-
Filesize
41KB
MD5a5208c8c1d9634ea4fa769eaeb03376a
SHA19eda60b3d317fbfc9624145f12309b009b1c71f3
SHA2560a5f66a4c565d6bc8e3f8f8e19004ab3d7d957219558b75536df3f41c62c40ea
SHA51257063158cd3b3f6667672d00200d2c341613e8ef1292fa5e13e99223ab66b2229477545c3b67c3d5981cfdd02a637e8ff78d9a3a5721ca23f50045978524375d