Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
11/12/2023, 11:30
Static task
static1
Behavioral task
behavioral1
Sample
534353667789.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
534353667789.exe
Resource
win10v2004-20231130-en
General
-
Target
534353667789.exe
-
Size
1.0MB
-
MD5
04c891b9979e4852e90c8c061473058c
-
SHA1
ab22fb90604c58e206bc3bc0c33c0b5768db6fcf
-
SHA256
7385e28efaddf884f97be5ac178a05d5c6e523a616ba20980121005428fe3765
-
SHA512
92f7168e7eed554938e5eb9027418734ac8898db2bada777aebc3b58e606a9bfc90cbf1234d98defe15445d9c7e5907878eaf6f1754378144b456b6c7766643e
-
SSDEEP
24576:0it4uJtHL/PkgSAq5dRHBez6oONXEef2sS5OnYi:0iWiH7P85fsz6oM2mn/
Malware Config
Extracted
formbook
4.1
ao65
spins2023.pro
foodontario.com
jsnmz.com
canwealljustagree.com
shopthedivine.store
thelakahealth.com
kuis-raja-borong.website
hbqc2.com
optimusvisionlb.com
urdulatest.com
akhayarplus.com
info-antai-service.com
kermisbedrijfkramer.online
epansion.com
gxqingmeng.top
maltsky.net
ictwath.com
sharmafootcare.com
mycheese.net
portfoliotestkitchen.com
gwhi13.cfd
fuzzybraintrivia.com
thnkotb.com
merchdojacat.com
1techtrendzstore.com
cnkclaw.net
xsslm888.com
musecheng.net
flowandfield.online
somdevista.com
baissm.top
xn--88-uqi1dtk.com
cewra.com
stellarskyline.com
mbutunerfitness.com
ssongg13916.cfd
sprockettrucking.com
boonts.cfd
oaistetic.com
enfejbazi1sjrttrsjegfwafe.click
you-can-too.com
chamdiemcchc.com
mrgdistilling.info
yptv1.com
ecofare.xyz
ouxodb001.cfd
sdymavillageculturehouse.com
carbolife.net
iokgw1.top
harmonicod.com
bbpinata.com
grfngr.design
colibriinvest.com
infossphere.space
glistenbeautylounge.com
paysprinters.online
ruhaniiyat.com
leathfortexas.com
tuesdayfolder.com
autoinsurancebound.com
scwanguan.fun
darkcreamslivki.xyz
0qtqg.com
ycth3hhtkd.asia
hivaom.top
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/4688-8-0x0000000002870000-0x0000000003870000-memory.dmp formbook behavioral2/memory/4688-12-0x0000000002870000-0x0000000003870000-memory.dmp formbook behavioral2/memory/4644-19-0x0000000000BA0000-0x0000000000BCF000-memory.dmp formbook behavioral2/memory/4644-21-0x0000000000BA0000-0x0000000000BCF000-memory.dmp formbook -
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral2/memory/4808-2-0x0000000003DA0000-0x0000000004DA0000-memory.dmp modiloader_stage2 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vkxxtlgy = "C:\\Users\\Public\\Vkxxtlgy.url" 534353667789.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4688 set thread context of 3284 4688 SndVol.exe 41 PID 4644 set thread context of 3284 4644 rundll32.exe 41 -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 57 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 61 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4808 534353667789.exe 4808 534353667789.exe 4688 SndVol.exe 4688 SndVol.exe 4688 SndVol.exe 4688 SndVol.exe 4688 SndVol.exe 4688 SndVol.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe 4644 rundll32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 4688 SndVol.exe 4688 SndVol.exe 4688 SndVol.exe 4644 rundll32.exe 4644 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 4688 SndVol.exe Token: SeShutdownPrivilege 3284 Explorer.EXE Token: SeCreatePagefilePrivilege 3284 Explorer.EXE Token: SeShutdownPrivilege 3284 Explorer.EXE Token: SeCreatePagefilePrivilege 3284 Explorer.EXE Token: SeShutdownPrivilege 3284 Explorer.EXE Token: SeCreatePagefilePrivilege 3284 Explorer.EXE Token: SeShutdownPrivilege 3284 Explorer.EXE Token: SeCreatePagefilePrivilege 3284 Explorer.EXE Token: SeDebugPrivilege 4644 rundll32.exe Token: SeShutdownPrivilege 3284 Explorer.EXE Token: SeCreatePagefilePrivilege 3284 Explorer.EXE Token: SeShutdownPrivilege 3284 Explorer.EXE Token: SeCreatePagefilePrivilege 3284 Explorer.EXE Token: SeShutdownPrivilege 3284 Explorer.EXE Token: SeCreatePagefilePrivilege 3284 Explorer.EXE Token: SeShutdownPrivilege 3284 Explorer.EXE Token: SeCreatePagefilePrivilege 3284 Explorer.EXE Token: SeShutdownPrivilege 3284 Explorer.EXE Token: SeCreatePagefilePrivilege 3284 Explorer.EXE -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4688 SndVol.exe 3284 Explorer.EXE 3284 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 4688 SndVol.exe 4688 SndVol.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3284 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4808 wrote to memory of 4688 4808 534353667789.exe 102 PID 4808 wrote to memory of 4688 4808 534353667789.exe 102 PID 4808 wrote to memory of 4688 4808 534353667789.exe 102 PID 4808 wrote to memory of 4688 4808 534353667789.exe 102 PID 3284 wrote to memory of 4644 3284 Explorer.EXE 103 PID 3284 wrote to memory of 4644 3284 Explorer.EXE 103 PID 3284 wrote to memory of 4644 3284 Explorer.EXE 103 PID 4644 wrote to memory of 1452 4644 rundll32.exe 105 PID 4644 wrote to memory of 1452 4644 rundll32.exe 105 PID 4644 wrote to memory of 1452 4644 rundll32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\534353667789.exe"C:\Users\Admin\AppData\Local\Temp\534353667789.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\SndVol.exeC:\Windows\System32\SndVol.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4688
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\SndVol.exe"3⤵PID:1452
-
-