Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2023, 20:50
Static task
static1
Behavioral task
behavioral1
Sample
03a2cf836e01c4bbda317dff5f0bc869.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
03a2cf836e01c4bbda317dff5f0bc869.exe
Resource
win10v2004-20231215-en
General
-
Target
03a2cf836e01c4bbda317dff5f0bc869.exe
-
Size
279KB
-
MD5
03a2cf836e01c4bbda317dff5f0bc869
-
SHA1
9f0746dc4f9698b7b5916f4327bfb50e27ef73d8
-
SHA256
ed68d679c7ebc0a1b23b215cda2d370a0da53ca08a8d296ffda986a434ff6596
-
SHA512
aeb876ed448acd8a11d4d5da22fc92c1d755990bac4ac8935bfd52bd431d4c96a94c517c1d74f62be74a429c3eebc52e3d9d922919de66d8c7e1c0566e14c4db
-
SSDEEP
6144:nR0XMxh2JejPu6nDSCejtRbxZaBwoJjkE5Mx7xSw33V0dLOwm:OXMxhMebBDnSxE7jkIImFdm
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral2/memory/2796-22-0x0000000000400000-0x0000000000554000-memory.dmp modiloader_stage2 behavioral2/memory/216-23-0x0000000000400000-0x0000000000554000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 2796 QQ.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: 03a2cf836e01c4bbda317dff5f0bc869.exe File opened (read-only) \??\K: 03a2cf836e01c4bbda317dff5f0bc869.exe File opened (read-only) \??\U: 03a2cf836e01c4bbda317dff5f0bc869.exe File opened (read-only) \??\A: 03a2cf836e01c4bbda317dff5f0bc869.exe File opened (read-only) \??\E: 03a2cf836e01c4bbda317dff5f0bc869.exe File opened (read-only) \??\I: 03a2cf836e01c4bbda317dff5f0bc869.exe File opened (read-only) \??\L: 03a2cf836e01c4bbda317dff5f0bc869.exe File opened (read-only) \??\R: 03a2cf836e01c4bbda317dff5f0bc869.exe File opened (read-only) \??\X: 03a2cf836e01c4bbda317dff5f0bc869.exe File opened (read-only) \??\H: 03a2cf836e01c4bbda317dff5f0bc869.exe File opened (read-only) \??\M: 03a2cf836e01c4bbda317dff5f0bc869.exe File opened (read-only) \??\T: 03a2cf836e01c4bbda317dff5f0bc869.exe File opened (read-only) \??\Y: 03a2cf836e01c4bbda317dff5f0bc869.exe File opened (read-only) \??\Z: 03a2cf836e01c4bbda317dff5f0bc869.exe File opened (read-only) \??\V: 03a2cf836e01c4bbda317dff5f0bc869.exe File opened (read-only) \??\B: 03a2cf836e01c4bbda317dff5f0bc869.exe File opened (read-only) \??\G: 03a2cf836e01c4bbda317dff5f0bc869.exe File opened (read-only) \??\N: 03a2cf836e01c4bbda317dff5f0bc869.exe File opened (read-only) \??\O: 03a2cf836e01c4bbda317dff5f0bc869.exe File opened (read-only) \??\P: 03a2cf836e01c4bbda317dff5f0bc869.exe File opened (read-only) \??\Q: 03a2cf836e01c4bbda317dff5f0bc869.exe File opened (read-only) \??\S: 03a2cf836e01c4bbda317dff5f0bc869.exe File opened (read-only) \??\W: 03a2cf836e01c4bbda317dff5f0bc869.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AutoRun.inf 03a2cf836e01c4bbda317dff5f0bc869.exe File created C:\AutoRun.inf 03a2cf836e01c4bbda317dff5f0bc869.exe File opened for modification C:\AutoRun.inf 03a2cf836e01c4bbda317dff5f0bc869.exe File created F:\AutoRun.inf 03a2cf836e01c4bbda317dff5f0bc869.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\QQ.exe 03a2cf836e01c4bbda317dff5f0bc869.exe File opened for modification C:\Program Files\QQ.exe 03a2cf836e01c4bbda317dff5f0bc869.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\_QQ.exe QQ.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\_QQ.exe QQ.exe File created C:\Program Files\Delet.bat 03a2cf836e01c4bbda317dff5f0bc869.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 216 wrote to memory of 2796 216 03a2cf836e01c4bbda317dff5f0bc869.exe 42 PID 216 wrote to memory of 2796 216 03a2cf836e01c4bbda317dff5f0bc869.exe 42 PID 216 wrote to memory of 2796 216 03a2cf836e01c4bbda317dff5f0bc869.exe 42 PID 216 wrote to memory of 4608 216 03a2cf836e01c4bbda317dff5f0bc869.exe 40 PID 216 wrote to memory of 4608 216 03a2cf836e01c4bbda317dff5f0bc869.exe 40 PID 216 wrote to memory of 4608 216 03a2cf836e01c4bbda317dff5f0bc869.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\03a2cf836e01c4bbda317dff5f0bc869.exe"C:\Users\Admin\AppData\Local\Temp\03a2cf836e01c4bbda317dff5f0bc869.exe"1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Delet.bat""2⤵PID:4608
-
-
C:\Program Files\QQ.exe"C:\Program Files\QQ.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2796
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184B
MD5ee0a7a8ec30438e0cbc5c5f919a152ac
SHA120abae314cdf81ec39745c7d98457557e883d7dc
SHA256e9727e76aedc97f4e189dd5d1c5fcfe3fd24f9613d464bccd08400855a3f1584
SHA51232b5011702396554439f7293aada7726518ecc8cabae3b8036b8945e269bb2c95d3523f99b527ad1211aa41367747d3c24273fd11d83998f307358f45b6b3618
-
Filesize
31KB
MD573375c6f7338e23743460092881039f0
SHA1b1c24e2fe9cc5d783ed5de53cd742667c446d269
SHA256ffb93c35b0381e52f647a26d8e1a80b4ef7ffde1381d8210348954feb4eb77d0
SHA51227a34df4e7813dbf3857855851dcfe57a2359e98ef9828f0eb3e646bbc07eaae81f3fc2d8cd5b757c61f2b81a3f0ca4ddb3de06b414f9d76df7a5381b1f6c5b2
-
Filesize
118KB
MD5020fab9847275df94918fb52d91d7f98
SHA1daa87920d7377614d8b6d8bf59fb5d1d67d55e41
SHA2563c71b3b87c2b83fd4c639aa60a00c098175192f5ddd8f06dbc5dc9b1c3df08b0
SHA512f89b0e637a7ddf7fe533d2d0e0e3a6cf672532c19687244f66c344dab567187581d10f79ae1711e0364d163069cfc4be0ae4b1cbd5e23b60636ea4322dd9aa83
-
Filesize
120KB
MD5c8df60663a0ae26f5f23b5820d2a53de
SHA15cdb576f9965f0b139056c8cef526fac6904c3cf
SHA25650ce1045388ffb98d22ff0750bf9a258c22005461af12ca0ddb8eb108450ca69
SHA512d056b0f5bdd99a329322eca842659010b0ef2db6f8076f4ce2c570a5d7fbce0d3951bb3f42e1c8e2f5843bce8e17d96f3e1dfefcfa8b3b5e4f5422f0216b288a