Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2023, 18:53
Static task
static1
Behavioral task
behavioral1
Sample
010017e186c37470c1208876f7bb2db3.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
010017e186c37470c1208876f7bb2db3.exe
Resource
win10v2004-20231215-en
General
-
Target
010017e186c37470c1208876f7bb2db3.exe
-
Size
26KB
-
MD5
010017e186c37470c1208876f7bb2db3
-
SHA1
6ddcc3756f32e75d0e782b832860dc9595326874
-
SHA256
a475322f26172f4dad7c67d1f01426b31a45afbc448b8b01d3f4d09fb53b2f4f
-
SHA512
3e30f2aa73576f65470952c71676ee429c4142d0147478fa3a27201fd614834d1fb46eb60c3e5add1392502d33267c7bbed3602366c4d7f15209b29beb46ab42
-
SSDEEP
384:fdKoA0iaVZAszu/RQ+mLyvXYu5+z0jfSkkn0BzzqNhfF0axPn9qGciTtxs0F4XkA:f4oTHupC2/kgqkk05whcG/LsXkA
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral2/memory/1844-14-0x0000000000400000-0x0000000000425000-memory.dmp modiloader_stage2 behavioral2/memory/3152-17-0x0000000000400000-0x0000000000425000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 3152 winow.exe -
Loads dropped DLL 2 IoCs
pid Process 3152 winow.exe 3152 winow.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\winow.dll 010017e186c37470c1208876f7bb2db3.exe File created C:\Windows\winow.exe 010017e186c37470c1208876f7bb2db3.exe File opened for modification C:\Windows\winow.exe 010017e186c37470c1208876f7bb2db3.exe File created C:\Windows\winow.dll winow.exe File created C:\Windows\winow.exe winow.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3152 winow.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1844 wrote to memory of 3152 1844 010017e186c37470c1208876f7bb2db3.exe 15 PID 1844 wrote to memory of 3152 1844 010017e186c37470c1208876f7bb2db3.exe 15 PID 1844 wrote to memory of 3152 1844 010017e186c37470c1208876f7bb2db3.exe 15
Processes
-
C:\Users\Admin\AppData\Local\Temp\010017e186c37470c1208876f7bb2db3.exe"C:\Users\Admin\AppData\Local\Temp\010017e186c37470c1208876f7bb2db3.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\winow.exeC:\Windows\winow.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3152
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD55e0e81a2ef1a5013e7e3593b165590a0
SHA1a940fc1e724b61a86acdc232669f0a50775cd840
SHA256c3fe5505e2c18a9aedf654906184bd21a0ee889908894ca824ec7a6945edcca1
SHA5124d47dd00a716f0492ddbe0974ba2f906e9602cffec8da61789a5232918abe44216df250bdd1ddcc0b75a3f583520119e4bbf687dfdb116c4336b80921577aa9b
-
Filesize
1KB
MD544e0ddd48109116d57784ffa1ed11457
SHA16d2e5f95e05b61c82064c9316fdb3a3e2154c283
SHA2565935d9dd269cd45700a9b690ebedf003a79662be858508d5426aa607e2e80857
SHA5124a42ffd48814deb9de4468ea9f6683aad6a239c212acf0d889e45811a21686c4e3c0e04c46e4baf2a847d5f63d3ba9954cfa157d1f0da9fc30dada2883929e08
-
Filesize
26KB
MD5010017e186c37470c1208876f7bb2db3
SHA16ddcc3756f32e75d0e782b832860dc9595326874
SHA256a475322f26172f4dad7c67d1f01426b31a45afbc448b8b01d3f4d09fb53b2f4f
SHA5123e30f2aa73576f65470952c71676ee429c4142d0147478fa3a27201fd614834d1fb46eb60c3e5add1392502d33267c7bbed3602366c4d7f15209b29beb46ab42