Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
13s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2023, 22:15
Static task
static1
Behavioral task
behavioral1
Sample
05606ed618ba2049f689624a5c92c59f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
05606ed618ba2049f689624a5c92c59f.exe
Resource
win10v2004-20231215-en
General
-
Target
05606ed618ba2049f689624a5c92c59f.exe
-
Size
372KB
-
MD5
05606ed618ba2049f689624a5c92c59f
-
SHA1
abc1757c103c293785ec74ccf8654eb23b96d936
-
SHA256
48c7eef81254424ca43b9302fcaf9e7dc8a3b6dd317d9c2526f142de934fa88f
-
SHA512
f56f51175f8afc549d6f34af2a29181f4d30a9e1030286aef223502baa6b0e79b04eb0d62da4b3ac4fc5a198111b5d224be9890399fe9d5e92d34ad1e35223cc
-
SSDEEP
6144:s/gkkCIh1n1v1D1n1v1D1n1v1D1n1v1D1n1vJTJbJHJzJbJnJTJbJHJzJbJnJTJJ:lkWhlNJFNplNJFNplNJFNplNJFNplNJf
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\winllogon.exe\"" winllogon.exe -
ModiLoader Second Stage 14 IoCs
resource yara_rule behavioral2/memory/3272-11-0x0000000000400000-0x0000000000460000-memory.dmp modiloader_stage2 behavioral2/memory/3272-14-0x0000000000400000-0x0000000000460000-memory.dmp modiloader_stage2 behavioral2/memory/3272-13-0x0000000000400000-0x0000000000460000-memory.dmp modiloader_stage2 behavioral2/memory/3272-27-0x0000000000400000-0x0000000000460000-memory.dmp modiloader_stage2 behavioral2/memory/3272-12-0x0000000000400000-0x0000000000460000-memory.dmp modiloader_stage2 behavioral2/memory/3272-9-0x0000000000400000-0x0000000000460000-memory.dmp modiloader_stage2 behavioral2/memory/3272-7-0x0000000000400000-0x0000000000460000-memory.dmp modiloader_stage2 behavioral2/memory/3272-5-0x0000000000400000-0x0000000000460000-memory.dmp modiloader_stage2 behavioral2/memory/3272-3-0x0000000000400000-0x0000000000460000-memory.dmp modiloader_stage2 behavioral2/memory/3272-2-0x0000000000400000-0x0000000000460000-memory.dmp modiloader_stage2 behavioral2/memory/3436-44-0x0000000000400000-0x0000000000460000-memory.dmp modiloader_stage2 behavioral2/memory/3436-61-0x0000000000400000-0x0000000000460000-memory.dmp modiloader_stage2 behavioral2/memory/3436-45-0x0000000000400000-0x0000000000460000-memory.dmp modiloader_stage2 behavioral2/memory/3436-43-0x0000000000400000-0x0000000000460000-memory.dmp modiloader_stage2 -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80ON131A-46MV-620B-N5M0-714N78TIP1R6} winllogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80ON131A-46MV-620B-N5M0-714N78TIP1R6}\StubPath = "\"C:\\Windows\\winllogon.exe\"" winllogon.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 05606ed618ba2049f689624a5c92c59f.exe -
Executes dropped EXE 2 IoCs
pid Process 3872 winllogon.exe 3436 winllogon.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\INFAMOUS HOOK V.O2.EXE winllogon.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4672 set thread context of 3272 4672 05606ed618ba2049f689624a5c92c59f.exe 94 PID 3872 set thread context of 3436 3872 winllogon.exe 102 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\winllogon.exe 05606ed618ba2049f689624a5c92c59f.exe File opened for modification C:\Windows\winllogon.exe 05606ed618ba2049f689624a5c92c59f.exe File opened for modification C:\Windows\winllogon.exe winllogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4672 05606ed618ba2049f689624a5c92c59f.exe 3872 winllogon.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4672 wrote to memory of 3272 4672 05606ed618ba2049f689624a5c92c59f.exe 94 PID 4672 wrote to memory of 3272 4672 05606ed618ba2049f689624a5c92c59f.exe 94 PID 4672 wrote to memory of 3272 4672 05606ed618ba2049f689624a5c92c59f.exe 94 PID 4672 wrote to memory of 3272 4672 05606ed618ba2049f689624a5c92c59f.exe 94 PID 4672 wrote to memory of 3272 4672 05606ed618ba2049f689624a5c92c59f.exe 94 PID 4672 wrote to memory of 3272 4672 05606ed618ba2049f689624a5c92c59f.exe 94 PID 4672 wrote to memory of 3272 4672 05606ed618ba2049f689624a5c92c59f.exe 94 PID 4672 wrote to memory of 3272 4672 05606ed618ba2049f689624a5c92c59f.exe 94 PID 4672 wrote to memory of 3272 4672 05606ed618ba2049f689624a5c92c59f.exe 94 PID 4672 wrote to memory of 3272 4672 05606ed618ba2049f689624a5c92c59f.exe 94 PID 4672 wrote to memory of 3272 4672 05606ed618ba2049f689624a5c92c59f.exe 94 PID 4672 wrote to memory of 3272 4672 05606ed618ba2049f689624a5c92c59f.exe 94 PID 4672 wrote to memory of 3272 4672 05606ed618ba2049f689624a5c92c59f.exe 94 PID 3272 wrote to memory of 3872 3272 05606ed618ba2049f689624a5c92c59f.exe 93 PID 3272 wrote to memory of 3872 3272 05606ed618ba2049f689624a5c92c59f.exe 93 PID 3272 wrote to memory of 3872 3272 05606ed618ba2049f689624a5c92c59f.exe 93 PID 3872 wrote to memory of 3436 3872 winllogon.exe 102 PID 3872 wrote to memory of 3436 3872 winllogon.exe 102 PID 3872 wrote to memory of 3436 3872 winllogon.exe 102 PID 3872 wrote to memory of 3436 3872 winllogon.exe 102 PID 3872 wrote to memory of 3436 3872 winllogon.exe 102 PID 3872 wrote to memory of 3436 3872 winllogon.exe 102 PID 3872 wrote to memory of 3436 3872 winllogon.exe 102 PID 3872 wrote to memory of 3436 3872 winllogon.exe 102 PID 3872 wrote to memory of 3436 3872 winllogon.exe 102 PID 3872 wrote to memory of 3436 3872 winllogon.exe 102 PID 3872 wrote to memory of 3436 3872 winllogon.exe 102 PID 3872 wrote to memory of 3436 3872 winllogon.exe 102 PID 3872 wrote to memory of 3436 3872 winllogon.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\05606ed618ba2049f689624a5c92c59f.exe"C:\Users\Admin\AppData\Local\Temp\05606ed618ba2049f689624a5c92c59f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Users\Admin\AppData\Local\Temp\05606ed618ba2049f689624a5c92c59f.exeC:\Users\Admin\AppData\Local\Temp\05606ed618ba2049f689624a5c92c59f.exe2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3272
-
-
C:\Windows\winllogon.exe"C:\Windows\winllogon.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\winllogon.exeC:\Windows\winllogon.exe2⤵
- Modifies WinLogon for persistence
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in System32 directory
PID:3436
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"1⤵PID:2284
-
C:\Windows\SysWOW64\INFAMOUS HOOK V.O2.EXE"C:\Windows\system32\INFAMOUS HOOK V.O2.EXE"1⤵PID:5096
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD5f8f0ba667c605f7c55fbaaac00f915b7
SHA110fb25d0a06e622ff501f67dafcfac5d03870d52
SHA25641e6b7454ce5820f803f98c2939d98e582716ef45753e275bb83b1af49381de5
SHA51205001d2777fc84687947f5b8c730180e25569ed37aaaff4486c32dcbad57e983622bc040e484d9c5ae90b0fb72574d08e3df653c21d5b78c47bc55e01efdced1
-
Filesize
61KB
MD5b99ffa067521f17e43e58aadac6f2fca
SHA133528dd441c0ca66b3b92ea6b6de7154600eed64
SHA2562fc055faa9e8bbc024f23a2c7d8e24745d3a4971c5f486edaedeaf7d816b6d2a
SHA512fd909f9374b2a4b54ee9bc819332739beec79a2562ab03825bbe78b035169aa2a64c343aafae7b840590661c24c9c2a924469525f39c6696568a7b442f2c8c0a
-
Filesize
57KB
MD51cc8fd0801d8bf64a5ec6965e9c0c622
SHA19e1e99a98c2f226458beda316219655dfbe22b2e
SHA25636fb748d2cd0a86746709f40022ab2667c526ca72529b4db423b35d5f17ee59d
SHA5128ba6f4ac524d9a3199767e583ad1138191fdab11f6a5eb6f4a54f6f3820764e968fbf0d9ed364ea53c18a6bac4804908ae5e1880825843039e96107d58a90e14
-
Filesize
4KB
MD5321e60ed665f37fcf148247cac58d7cb
SHA1a43b6956bafe4d729ae750f0870a664ab1f25e87
SHA256dc04d7805663d12a8d942c2916946d3ece4535315fa006537c4d7778a1d47eeb
SHA5122f06971977ab0b774db1c0fbd173866a4f64170f4a148d6641e08f8d33b4f066d3f881cc2c81377469ad39de2d440b1d31fca5f9adf21c2091151f28afe65dda
-
Filesize
774B
MD572dd394e9dbba320124871153a1f2970
SHA12a4a93087443485b67b614fec044ea3fc2ec0724
SHA256b04fb4de03e4f5bff130eab613dd820a3765fd3a77c5b66b55de6c43759e454a
SHA51280041251e86f2b70ea31725f4a3ceae45e533023de5cd58e39eb0f7427c14e555cd71991ced62c61bd7cd91b0a9d0a7fbf7a9e86e4db38ef139d69b728c2e1eb
-
Filesize
101KB
MD5c6fb73ef00ba35a9ba85052a0e3ae52a
SHA11297f403088acffbc4652195b82b48868e8fee70
SHA25627b45fc5af612dc3d37616573000e6d566d829850994059d24e9ed6d8f3540f5
SHA5129c4f4f97ac5ac563fccb7c8e430c3a531a44ae7aac111af9c2bbf8a9953c1ec3609a9bae1f1ef6912ff0af611770317602095539a046e5877d2b909b83d8331d