Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
29/12/2023, 20:28
General
-
Target
032185fbaca47a4f4e6e61dde810715d.exe
-
Size
744KB
-
MD5
032185fbaca47a4f4e6e61dde810715d
-
SHA1
dd7be1f4780d053c14a617872cdd03802d5120d2
-
SHA256
01056966c39bc71d4cead1f28689d02f211ca8be360bdc58dd0844ed3d03e77d
-
SHA512
8b614c17adeecdfe67d205c35769e660715efd77be412681bd0c8661632c987e431e9a21519f2dc2fe00cdd119f7561242bc3dbc373333e2bd49554fdde58f6d
-
SSDEEP
12288:vT+cEyQ6KDYOMwRCYrzqpiO+T6rdV9NdqDywi023t9MUCaCk30bj:vTnQ6SYOM6CUzqpiO+Taj9NdqDywyd9o
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
UAC bypass 3 TTPs 1 IoCs
-
ModiLoader Second Stage 18 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\032185fbaca47a4f4e6e61dde810715d.exe"C:\Users\Admin\AppData\Local\Temp\032185fbaca47a4f4e6e61dde810715d.exe"1⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
744KB
MD5032185fbaca47a4f4e6e61dde810715d
SHA1dd7be1f4780d053c14a617872cdd03802d5120d2
SHA25601056966c39bc71d4cead1f28689d02f211ca8be360bdc58dd0844ed3d03e77d
SHA5128b614c17adeecdfe67d205c35769e660715efd77be412681bd0c8661632c987e431e9a21519f2dc2fe00cdd119f7561242bc3dbc373333e2bd49554fdde58f6d
-
Filesize
928KB
-
Filesize
4KB
-
Filesize
928KB
-
Filesize
4KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
960KB
-
Filesize
4KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
960KB
-
Filesize
928KB
-
Filesize
56KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB
-
Filesize
928KB