Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
165s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/12/2022, 18:00
Static task
static1
Behavioral task
behavioral1
Sample
9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe
Resource
win10v2004-20220812-en
General
-
Target
9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe
-
Size
631KB
-
MD5
3784baf66addb63f047c26c39b40a34e
-
SHA1
7d7bff16796dad8052bd62c1fda5b4869d2dd279
-
SHA256
9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250
-
SHA512
b2865afc1a370fcc98fddab60f7af13d7e64263a53da19460417ec84d59fa6a77212c74e6c67ffe9a14f7643a6a06251b8e302be0ed0157cb28c37c01de64930
-
SSDEEP
12288:IzT2da7QDms9cKcTUy/xQZZZHCE+gffVUlj0OtlLwu6oGjc4ysHJUB3WnG1x03L:ILs9NO7/xWZHjzfVUljrbwu6oQcaHJUq
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral2/memory/1896-141-0x0000000000400000-0x00000000005BD000-memory.dmp modiloader_stage2 -
Executes dropped EXE 3 IoCs
pid Process 1896 updata.exe 4760 dogread.exe 4960 hl-dump.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation dogread.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\FieleWay.txt updata.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2480 wrote to memory of 1896 2480 9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe 80 PID 2480 wrote to memory of 1896 2480 9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe 80 PID 2480 wrote to memory of 1896 2480 9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe 80 PID 2480 wrote to memory of 4760 2480 9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe 81 PID 2480 wrote to memory of 4760 2480 9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe 81 PID 2480 wrote to memory of 4760 2480 9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe 81 PID 1896 wrote to memory of 3872 1896 updata.exe 82 PID 1896 wrote to memory of 3872 1896 updata.exe 82 PID 1896 wrote to memory of 3872 1896 updata.exe 82 PID 4760 wrote to memory of 4868 4760 dogread.exe 83 PID 4760 wrote to memory of 4868 4760 dogread.exe 83 PID 4760 wrote to memory of 4868 4760 dogread.exe 83 PID 4868 wrote to memory of 4960 4868 cmd.exe 85 PID 4868 wrote to memory of 4960 4868 cmd.exe 85 PID 4868 wrote to memory of 4960 4868 cmd.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe"C:\Users\Admin\AppData\Local\Temp\9057da642752aebb68998bb1c8e5b6a125daa92470ad1191da62a44094187250.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\updata.exe"C:\Users\Admin\AppData\Local\Temp\updata.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\system32\mspaint.exe"3⤵PID:3872
-
-
-
C:\Users\Admin\AppData\Local\Temp\dogread.exe"C:\Users\Admin\AppData\Local\Temp\dogread.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\pmrt.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\hl-dump.exeHL-DUMP.EXE /DUMP 0x1A54⤵
- Executes dropped EXE
PID:4960
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
122KB
MD51d3cbd544ec48f18423c96c76da4c0af
SHA1d123df62d3ca19540b0d4c0d133710f429b27f7c
SHA2564c3d73aa67d2e03d342acf3576452a709a2487daef875b63e94fc405fbb59dbb
SHA5120091d8ab7b9d7a171b15021d88038f0e3abf5fe256b33652fc292f33f84d788a454e5d1280fc84e9c5a71b665f18c2146aa3b363582b93ec6782b09a7392e3eb
-
Filesize
122KB
MD51d3cbd544ec48f18423c96c76da4c0af
SHA1d123df62d3ca19540b0d4c0d133710f429b27f7c
SHA2564c3d73aa67d2e03d342acf3576452a709a2487daef875b63e94fc405fbb59dbb
SHA5120091d8ab7b9d7a171b15021d88038f0e3abf5fe256b33652fc292f33f84d788a454e5d1280fc84e9c5a71b665f18c2146aa3b363582b93ec6782b09a7392e3eb
-
Filesize
475KB
MD5d09d5b5f770cbfef800e596854f3bc72
SHA107b47383ba6a29d67ecb9b32948e2915c0e8e5b9
SHA2563a5fcdbddd2ac63717ff52bc9e278c18e7f25b0db85c8f846f90987c6a970feb
SHA512761b31876a43e414616cea26742346356c262ac64f0ec51fb85c612017db17be33ce84e44e01687ac191c2c08274deb5523c5b0465c18605ba6e291f80346dcc
-
Filesize
475KB
MD5d09d5b5f770cbfef800e596854f3bc72
SHA107b47383ba6a29d67ecb9b32948e2915c0e8e5b9
SHA2563a5fcdbddd2ac63717ff52bc9e278c18e7f25b0db85c8f846f90987c6a970feb
SHA512761b31876a43e414616cea26742346356c262ac64f0ec51fb85c612017db17be33ce84e44e01687ac191c2c08274deb5523c5b0465c18605ba6e291f80346dcc
-
Filesize
48KB
MD52dfd1a748cef1517e800f7ae47468e5e
SHA1c405de71e09a9bdb8227350c6d08f15cd57699a7
SHA256edaefb1d0ec1fbe7398c25ea85e74c6f44f544184bb448328a5886ce2c8cb294
SHA5120cb49fbe11717030015e74092a31fff8d791219789d27bdd559fe4d48ff0149abcf64fc487bae97169f4398a7c1a3156ca53cfb76240d66b5c75521dcd98bb39
-
Filesize
27B
MD531ae2e45e85e14364ded10ba72d7b890
SHA122185e0a4efb576acd354214a6d5f20148df728a
SHA2564d286da7d903b751bf2c1b8cb5ea27e41d3f4fadc28a18b02a24449e7b70f008
SHA51286a75c0b7eec3f94f0a569c6d7e25a9c5ed0292c40acca85f866d9192cd2699c53b671cc4c36456be7f26ff78e865be1150545515aef6d4d4645ddc9eee60dc9
-
Filesize
48KB
MD52dfd1a748cef1517e800f7ae47468e5e
SHA1c405de71e09a9bdb8227350c6d08f15cd57699a7
SHA256edaefb1d0ec1fbe7398c25ea85e74c6f44f544184bb448328a5886ce2c8cb294
SHA5120cb49fbe11717030015e74092a31fff8d791219789d27bdd559fe4d48ff0149abcf64fc487bae97169f4398a7c1a3156ca53cfb76240d66b5c75521dcd98bb39