Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
183s -
max time network
69s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23/11/2022, 19:26
Static task
static1
Behavioral task
behavioral1
Sample
a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237.exe
Resource
win10v2004-20221111-en
General
-
Target
a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237.exe
-
Size
380KB
-
MD5
1ab27b63c1a49193f4b2f1f9554ca91b
-
SHA1
a746201024f0cd21e1d10f4d435510e3f4de33d2
-
SHA256
a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237
-
SHA512
03d41630e4d4cae5058ad3e9080e53e1657c1f1bae2503410551656cbc1e575b06f8828189ead40e1f96eb7a85bb5e292f2ebea952cc362a7ef6c61d7c2a9af5
-
SSDEEP
6144:Hk8u7jp9fQ6u+JUuWj2bL30ct3PUgXjgc/kS8vyiYESWT5kLo8Xb0FAFnQslaHu3:UplTUJ2bLkct3s1c/kS8vyiYMT5kLoWt
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/1736-59-0x0000000000400000-0x0000000000482000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
pid Process 2032 java.exe 752 java.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1852 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b782f73214429c3d9bc5c4dba38019f.exe java.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b782f73214429c3d9bc5c4dba38019f.exe java.exe -
Loads dropped DLL 2 IoCs
pid Process 1736 a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237.exe 2032 java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\6b782f73214429c3d9bc5c4dba38019f = "\"C:\\Users\\Admin\\AppData\\Roaming\\java.exe\" .." java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\6b782f73214429c3d9bc5c4dba38019f = "\"C:\\Users\\Admin\\AppData\\Roaming\\java.exe\" .." java.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 752 java.exe 752 java.exe 752 java.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 752 java.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1736 wrote to memory of 2032 1736 a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237.exe 28 PID 1736 wrote to memory of 2032 1736 a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237.exe 28 PID 1736 wrote to memory of 2032 1736 a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237.exe 28 PID 1736 wrote to memory of 2032 1736 a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237.exe 28 PID 1736 wrote to memory of 2032 1736 a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237.exe 28 PID 1736 wrote to memory of 2032 1736 a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237.exe 28 PID 1736 wrote to memory of 2032 1736 a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237.exe 28 PID 2032 wrote to memory of 752 2032 java.exe 29 PID 2032 wrote to memory of 752 2032 java.exe 29 PID 2032 wrote to memory of 752 2032 java.exe 29 PID 2032 wrote to memory of 752 2032 java.exe 29 PID 2032 wrote to memory of 752 2032 java.exe 29 PID 2032 wrote to memory of 752 2032 java.exe 29 PID 2032 wrote to memory of 752 2032 java.exe 29 PID 752 wrote to memory of 1852 752 java.exe 30 PID 752 wrote to memory of 1852 752 java.exe 30 PID 752 wrote to memory of 1852 752 java.exe 30 PID 752 wrote to memory of 1852 752 java.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237.exe"C:\Users\Admin\AppData\Local\Temp\a644f4644a53319c1acefcd761d046e98a480f291ac0649f540a80dab570a237.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\java.exe"C:\Users\Admin\AppData\Local\Temp\java.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Roaming\java.exe"C:\Users\Admin\AppData\Roaming\java.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\java.exe" "java.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:1852
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD506567cf94124d86ea7f90aeb16eafc08
SHA10b26fddc27138a15a404e1d969c8476253e0d48d
SHA2561edcd4e37aff5be25c81d20680c6bac1bfe8a54f9d4bf9fb37c070d2172c66c4
SHA5123dd5eaca0a9adfdf9e71107155d7d2d05af82d6e0e79fa41ae384bf89c83fc075567ee969f5e2a6ce48490306b399fca0a470151e9c65b62b6ad6ab7aaac5d17
-
Filesize
47KB
MD506567cf94124d86ea7f90aeb16eafc08
SHA10b26fddc27138a15a404e1d969c8476253e0d48d
SHA2561edcd4e37aff5be25c81d20680c6bac1bfe8a54f9d4bf9fb37c070d2172c66c4
SHA5123dd5eaca0a9adfdf9e71107155d7d2d05af82d6e0e79fa41ae384bf89c83fc075567ee969f5e2a6ce48490306b399fca0a470151e9c65b62b6ad6ab7aaac5d17
-
Filesize
47KB
MD506567cf94124d86ea7f90aeb16eafc08
SHA10b26fddc27138a15a404e1d969c8476253e0d48d
SHA2561edcd4e37aff5be25c81d20680c6bac1bfe8a54f9d4bf9fb37c070d2172c66c4
SHA5123dd5eaca0a9adfdf9e71107155d7d2d05af82d6e0e79fa41ae384bf89c83fc075567ee969f5e2a6ce48490306b399fca0a470151e9c65b62b6ad6ab7aaac5d17
-
Filesize
47KB
MD506567cf94124d86ea7f90aeb16eafc08
SHA10b26fddc27138a15a404e1d969c8476253e0d48d
SHA2561edcd4e37aff5be25c81d20680c6bac1bfe8a54f9d4bf9fb37c070d2172c66c4
SHA5123dd5eaca0a9adfdf9e71107155d7d2d05af82d6e0e79fa41ae384bf89c83fc075567ee969f5e2a6ce48490306b399fca0a470151e9c65b62b6ad6ab7aaac5d17
-
Filesize
47KB
MD506567cf94124d86ea7f90aeb16eafc08
SHA10b26fddc27138a15a404e1d969c8476253e0d48d
SHA2561edcd4e37aff5be25c81d20680c6bac1bfe8a54f9d4bf9fb37c070d2172c66c4
SHA5123dd5eaca0a9adfdf9e71107155d7d2d05af82d6e0e79fa41ae384bf89c83fc075567ee969f5e2a6ce48490306b399fca0a470151e9c65b62b6ad6ab7aaac5d17
-
Filesize
47KB
MD506567cf94124d86ea7f90aeb16eafc08
SHA10b26fddc27138a15a404e1d969c8476253e0d48d
SHA2561edcd4e37aff5be25c81d20680c6bac1bfe8a54f9d4bf9fb37c070d2172c66c4
SHA5123dd5eaca0a9adfdf9e71107155d7d2d05af82d6e0e79fa41ae384bf89c83fc075567ee969f5e2a6ce48490306b399fca0a470151e9c65b62b6ad6ab7aaac5d17