Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

b5f9285e8d...7c.exe

windows7-x64

10

b5f9285e8d...7c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    192s
  • max time network
    198s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 04:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b5f9285e8d731f1be4c6587394cbc3d7e750ed11d2523b967e07dc6f7eee687c.exe

  • Size

    183KB

  • MD5

    47197a222c8269da3e25248c0eb85020

  • SHA1

    2203c2aacdd4bb9e53a40cb11ea9c229395c850c

  • SHA256

    b5f9285e8d731f1be4c6587394cbc3d7e750ed11d2523b967e07dc6f7eee687c

  • SHA512

    7c299805338bfa5711d0c46602f7dc319880732f14b2a58f91436e83036e6753801b2cacfe0b3e7151510408ba38753895ae86357e21e9b5aea902b74d7af008

  • SSDEEP

    3072:la5bDM8UfVhLuQIReRCoT4o3SfLRrQY+jRSOnhRVE6B2mQ6Z:0M8UE8pqLuYoSahRV72YZ

Score
10/10
modiloadertrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 22 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b5f9285e8d731f1be4c6587394cbc3d7e750ed11d2523b967e07dc6f7eee687c.exe
    "C:\Users\Admin\AppData\Local\Temp\b5f9285e8d731f1be4c6587394cbc3d7e750ed11d2523b967e07dc6f7eee687c.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1524
    • C:\Users\Admin\AppData\Local\Temp\pdbTmLaAYOAo8v5ScRfM.exe
      "C:\Users\Admin\AppData\Local\Temp\pdbTmLaAYOAo8v5ScRfM.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3132
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\iK4OfkKK0GIO8TCQUtW0.gif
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:204
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:17410 /prefetch:2
        3⤵
        • Loads dropped DLL
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3900

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\Microsoft Shared\MSINFO\atmQQ2.dll
    Filesize

    20KB

    MD5

    3bd58f86298b8fda0fdd00c78eb7050c

    SHA1

    d2951529c7517882979c459803710a8e98b4826b

    SHA256

    35d970dbeba260c12a6a787aa481da7d4628550d02728d08bc6a0805164b53ea

    SHA512

    72a6c4fb5cfb32800f131c3ad917549372e582f536550d485dd6b73121aebae63381dc9b7b68fbf8367b8c66de8b9af05270b3200ac3060ea5bffd47ecba1d9d

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\MSInfo\atmQQ2.dll
    Filesize

    20KB

    MD5

    3bd58f86298b8fda0fdd00c78eb7050c

    SHA1

    d2951529c7517882979c459803710a8e98b4826b

    SHA256

    35d970dbeba260c12a6a787aa481da7d4628550d02728d08bc6a0805164b53ea

    SHA512

    72a6c4fb5cfb32800f131c3ad917549372e582f536550d485dd6b73121aebae63381dc9b7b68fbf8367b8c66de8b9af05270b3200ac3060ea5bffd47ecba1d9d

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\MSInfo\atmQQ2.dll
    Filesize

    20KB

    MD5

    3bd58f86298b8fda0fdd00c78eb7050c

    SHA1

    d2951529c7517882979c459803710a8e98b4826b

    SHA256

    35d970dbeba260c12a6a787aa481da7d4628550d02728d08bc6a0805164b53ea

    SHA512

    72a6c4fb5cfb32800f131c3ad917549372e582f536550d485dd6b73121aebae63381dc9b7b68fbf8367b8c66de8b9af05270b3200ac3060ea5bffd47ecba1d9d

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\MSInfo\atmQQ2.dll
    Filesize

    20KB

    MD5

    3bd58f86298b8fda0fdd00c78eb7050c

    SHA1

    d2951529c7517882979c459803710a8e98b4826b

    SHA256

    35d970dbeba260c12a6a787aa481da7d4628550d02728d08bc6a0805164b53ea

    SHA512

    72a6c4fb5cfb32800f131c3ad917549372e582f536550d485dd6b73121aebae63381dc9b7b68fbf8367b8c66de8b9af05270b3200ac3060ea5bffd47ecba1d9d

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\MSInfo\atmQQ2.dll
    Filesize

    20KB

    MD5

    3bd58f86298b8fda0fdd00c78eb7050c

    SHA1

    d2951529c7517882979c459803710a8e98b4826b

    SHA256

    35d970dbeba260c12a6a787aa481da7d4628550d02728d08bc6a0805164b53ea

    SHA512

    72a6c4fb5cfb32800f131c3ad917549372e582f536550d485dd6b73121aebae63381dc9b7b68fbf8367b8c66de8b9af05270b3200ac3060ea5bffd47ecba1d9d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\iK4OfkKK0GIO8TCQUtW0.gif
    Filesize

    38KB

    MD5

    48148c5809f32d3fbf12cfc915db5960

    SHA1

    3ee2b8f75bf1e0b0aa82a1e9b3cec98b90e47088

    SHA256

    1dcb074c90fb70d2c759318d58488016d896e9849579b07254c34480c5ae781c

    SHA512

    e18270085f4e530422231ad205495d2d9df6e902746ab4716a109d6eabfe3823a244ab816fe932ab395279b4753531f77d001943fc4d8a55ad6434742cc48ffd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pdbTmLaAYOAo8v5ScRfM.exe
    Filesize

    37KB

    MD5

    3e41b107bd3d043d2a26f2192a7b9331

    SHA1

    d55babe838b43e7d28808cec16667b271175e5c4

    SHA256

    1297d577f5043365da90a5a623b4ffa7a3ea66ad217b7df1493206a04726e874

    SHA512

    f852b2d4acb61d282601ead153631aeb5bd440867ee1a0be15514f778f4e57eca4a4eaaab8fba0e663c3ffa36990825f18035b31e99564de2ff4d0b0d2f9f718

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pdbTmLaAYOAo8v5ScRfM.exe
    Filesize

    37KB

    MD5

    3e41b107bd3d043d2a26f2192a7b9331

    SHA1

    d55babe838b43e7d28808cec16667b271175e5c4

    SHA256

    1297d577f5043365da90a5a623b4ffa7a3ea66ad217b7df1493206a04726e874

    SHA512

    f852b2d4acb61d282601ead153631aeb5bd440867ee1a0be15514f778f4e57eca4a4eaaab8fba0e663c3ffa36990825f18035b31e99564de2ff4d0b0d2f9f718

    Download Submit

  • memory/3132-135-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3132-139-0x0000000000530000-0x0000000000553000-memory.dmp

    Filesize

    140KB

    Download

  • memory/3132-138-0x0000000000530000-0x0000000000553000-memory.dmp

    Filesize

    140KB

    Download

  • memory/3900-143-0x0000000002DF0000-0x0000000002E13000-memory.dmp

    Filesize

    140KB

    Download