Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29/12/2023, 18:53
Static task
static1
Behavioral task
behavioral1
Sample
010017e186c37470c1208876f7bb2db3.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
010017e186c37470c1208876f7bb2db3.exe
Resource
win10v2004-20231215-en
General
-
Target
010017e186c37470c1208876f7bb2db3.exe
-
Size
26KB
-
MD5
010017e186c37470c1208876f7bb2db3
-
SHA1
6ddcc3756f32e75d0e782b832860dc9595326874
-
SHA256
a475322f26172f4dad7c67d1f01426b31a45afbc448b8b01d3f4d09fb53b2f4f
-
SHA512
3e30f2aa73576f65470952c71676ee429c4142d0147478fa3a27201fd614834d1fb46eb60c3e5add1392502d33267c7bbed3602366c4d7f15209b29beb46ab42
-
SSDEEP
384:fdKoA0iaVZAszu/RQ+mLyvXYu5+z0jfSkkn0BzzqNhfF0axPn9qGciTtxs0F4XkA:f4oTHupC2/kgqkk05whcG/LsXkA
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral1/memory/1520-0-0x0000000000400000-0x0000000000425000-memory.dmp modiloader_stage2 behavioral1/memory/1520-12-0x0000000000400000-0x0000000000425000-memory.dmp modiloader_stage2 behavioral1/memory/2980-11-0x0000000000400000-0x0000000000425000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 2980 winow.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\winow.dll 010017e186c37470c1208876f7bb2db3.exe File created C:\Windows\winow.exe 010017e186c37470c1208876f7bb2db3.exe File opened for modification C:\Windows\winow.exe 010017e186c37470c1208876f7bb2db3.exe File created C:\Windows\winow.dll winow.exe File created C:\Windows\winow.exe winow.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1520 wrote to memory of 2980 1520 010017e186c37470c1208876f7bb2db3.exe 28 PID 1520 wrote to memory of 2980 1520 010017e186c37470c1208876f7bb2db3.exe 28 PID 1520 wrote to memory of 2980 1520 010017e186c37470c1208876f7bb2db3.exe 28 PID 1520 wrote to memory of 2980 1520 010017e186c37470c1208876f7bb2db3.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\010017e186c37470c1208876f7bb2db3.exe"C:\Users\Admin\AppData\Local\Temp\010017e186c37470c1208876f7bb2db3.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\winow.exeC:\Windows\winow.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2980
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD55e0e81a2ef1a5013e7e3593b165590a0
SHA1a940fc1e724b61a86acdc232669f0a50775cd840
SHA256c3fe5505e2c18a9aedf654906184bd21a0ee889908894ca824ec7a6945edcca1
SHA5124d47dd00a716f0492ddbe0974ba2f906e9602cffec8da61789a5232918abe44216df250bdd1ddcc0b75a3f583520119e4bbf687dfdb116c4336b80921577aa9b
-
Filesize
26KB
MD5010017e186c37470c1208876f7bb2db3
SHA16ddcc3756f32e75d0e782b832860dc9595326874
SHA256a475322f26172f4dad7c67d1f01426b31a45afbc448b8b01d3f4d09fb53b2f4f
SHA5123e30f2aa73576f65470952c71676ee429c4142d0147478fa3a27201fd614834d1fb46eb60c3e5add1392502d33267c7bbed3602366c4d7f15209b29beb46ab42