Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

05606ed618...9f.exe

windows7-x64

10

05606ed618...9f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    13s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2023, 22:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05606ed618ba2049f689624a5c92c59f.exe

  • Size

    372KB

  • MD5

    05606ed618ba2049f689624a5c92c59f

  • SHA1

    abc1757c103c293785ec74ccf8654eb23b96d936

  • SHA256

    48c7eef81254424ca43b9302fcaf9e7dc8a3b6dd317d9c2526f142de934fa88f

  • SHA512

    f56f51175f8afc549d6f34af2a29181f4d30a9e1030286aef223502baa6b0e79b04eb0d62da4b3ac4fc5a198111b5d224be9890399fe9d5e92d34ad1e35223cc

  • SSDEEP

    6144:s/gkkCIh1n1v1D1n1v1D1n1v1D1n1v1D1n1vJTJbJHJzJbJnJTJbJHJzJbJnJTJJ:lkWhlNJFNplNJFNplNJFNplNJFNplNJf

Score
10/10
modiloaderpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • ModiLoader Second Stage 14 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05606ed618ba2049f689624a5c92c59f.exe
    "C:\Users\Admin\AppData\Local\Temp\05606ed618ba2049f689624a5c92c59f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4672
    • C:\Users\Admin\AppData\Local\Temp\05606ed618ba2049f689624a5c92c59f.exe
      C:\Users\Admin\AppData\Local\Temp\05606ed618ba2049f689624a5c92c59f.exe
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3272
  • C:\Windows\winllogon.exe
    "C:\Windows\winllogon.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3872
    • C:\Windows\winllogon.exe
      C:\Windows\winllogon.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:3436
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    1⤵
      PID:2284
    • C:\Windows\SysWOW64\INFAMOUS HOOK V.O2.EXE
      "C:\Windows\system32\INFAMOUS HOOK V.O2.EXE"
      1⤵
        PID:5096

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\INFAMOUS HOOK V.O2.EXE
        Filesize

        21KB

        MD5

        f8f0ba667c605f7c55fbaaac00f915b7

        SHA1

        10fb25d0a06e622ff501f67dafcfac5d03870d52

        SHA256

        41e6b7454ce5820f803f98c2939d98e582716ef45753e275bb83b1af49381de5

        SHA512

        05001d2777fc84687947f5b8c730180e25569ed37aaaff4486c32dcbad57e983622bc040e484d9c5ae90b0fb72574d08e3df653c21d5b78c47bc55e01efdced1

        Download Submit

      • C:\Windows\SysWOW64\INFAMOUS HOOK V.O2.EXE
        Filesize

        61KB

        MD5

        b99ffa067521f17e43e58aadac6f2fca

        SHA1

        33528dd441c0ca66b3b92ea6b6de7154600eed64

        SHA256

        2fc055faa9e8bbc024f23a2c7d8e24745d3a4971c5f486edaedeaf7d816b6d2a

        SHA512

        fd909f9374b2a4b54ee9bc819332739beec79a2562ab03825bbe78b035169aa2a64c343aafae7b840590661c24c9c2a924469525f39c6696568a7b442f2c8c0a

        Download Submit

      • C:\Windows\SysWOW64\INFAMOUS HOOK V.O2.EXE
        Filesize

        57KB

        MD5

        1cc8fd0801d8bf64a5ec6965e9c0c622

        SHA1

        9e1e99a98c2f226458beda316219655dfbe22b2e

        SHA256

        36fb748d2cd0a86746709f40022ab2667c526ca72529b4db423b35d5f17ee59d

        SHA512

        8ba6f4ac524d9a3199767e583ad1138191fdab11f6a5eb6f4a54f6f3820764e968fbf0d9ed364ea53c18a6bac4804908ae5e1880825843039e96107d58a90e14

        Download Submit

      • C:\Windows\winllogon.exe
        Filesize

        4KB

        MD5

        321e60ed665f37fcf148247cac58d7cb

        SHA1

        a43b6956bafe4d729ae750f0870a664ab1f25e87

        SHA256

        dc04d7805663d12a8d942c2916946d3ece4535315fa006537c4d7778a1d47eeb

        SHA512

        2f06971977ab0b774db1c0fbd173866a4f64170f4a148d6641e08f8d33b4f066d3f881cc2c81377469ad39de2d440b1d31fca5f9adf21c2091151f28afe65dda

        Download Submit

      • C:\Windows\winllogon.exe
        Filesize

        774B

        MD5

        72dd394e9dbba320124871153a1f2970

        SHA1

        2a4a93087443485b67b614fec044ea3fc2ec0724

        SHA256

        b04fb4de03e4f5bff130eab613dd820a3765fd3a77c5b66b55de6c43759e454a

        SHA512

        80041251e86f2b70ea31725f4a3ceae45e533023de5cd58e39eb0f7427c14e555cd71991ced62c61bd7cd91b0a9d0a7fbf7a9e86e4db38ef139d69b728c2e1eb

        Download Submit

      • C:\Windows\winllogon.exe
        Filesize

        101KB

        MD5

        c6fb73ef00ba35a9ba85052a0e3ae52a

        SHA1

        1297f403088acffbc4652195b82b48868e8fee70

        SHA256

        27b45fc5af612dc3d37616573000e6d566d829850994059d24e9ed6d8f3540f5

        SHA512

        9c4f4f97ac5ac563fccb7c8e430c3a531a44ae7aac111af9c2bbf8a9953c1ec3609a9bae1f1ef6912ff0af611770317602095539a046e5877d2b909b83d8331d

        Download Submit

      • memory/3272-27-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3272-11-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3272-7-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3272-5-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3272-3-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3272-2-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3272-9-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3272-12-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3272-14-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3272-13-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3436-61-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3436-44-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3436-45-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3436-43-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3436-55-0x0000000010410000-0x0000000010449000-memory.dmp

        Filesize

        228KB

        Download