Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 20:44
Static task
static1
Behavioral task
behavioral1
Sample
1c18011c2def0325b221efc7952112f9.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1c18011c2def0325b221efc7952112f9.exe
Resource
win10v2004-20231215-en
General
-
Target
1c18011c2def0325b221efc7952112f9.exe
-
Size
499KB
-
MD5
1c18011c2def0325b221efc7952112f9
-
SHA1
c39b52f5a7c856ebd9ca3049152e03da62abee8e
-
SHA256
771d46e06cdf01fc249bd965f721777ac5b89124d081bcc048189b3f7246e30f
-
SHA512
092f899c8d1ab57da9a80916831f211aa746097196983dfdeb545e95c4df3b4652ad0d9845ee884a7b50a823da77ace463c2060d7e8aa8430416a67ee9254037
-
SSDEEP
12288:RPfkp9tfoTrF3Z4mxxRSJGiz94/sCrxDVS:VuN2QmXIJG1BY
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 7 IoCs
resource yara_rule behavioral1/memory/2032-4-0x0000000000400000-0x00000000004BF000-memory.dmp modiloader_stage2 behavioral1/memory/2032-28-0x0000000000400000-0x00000000004BF000-memory.dmp modiloader_stage2 behavioral1/memory/1336-33-0x0000000000400000-0x000000000046F000-memory.dmp modiloader_stage2 behavioral1/memory/1336-36-0x0000000000400000-0x000000000046F000-memory.dmp modiloader_stage2 behavioral1/memory/1336-37-0x0000000000400000-0x000000000046F000-memory.dmp modiloader_stage2 behavioral1/memory/1336-38-0x0000000000400000-0x000000000046F000-memory.dmp modiloader_stage2 behavioral1/memory/1336-39-0x0000000000400000-0x000000000046F000-memory.dmp modiloader_stage2 -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\netrt\Parameters\ServiceDll = "C:\\Windows\\System32\\sysn.dll" 1c18011c2def0325b221efc7952112f9.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x00080000000142bc-26.dat acprotect -
Deletes itself 1 IoCs
pid Process 2680 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 1336 svchost.exe -
resource yara_rule behavioral1/files/0x00080000000142bc-26.dat upx behavioral1/memory/1336-32-0x0000000000400000-0x000000000046F000-memory.dmp upx behavioral1/memory/1336-33-0x0000000000400000-0x000000000046F000-memory.dmp upx behavioral1/memory/1336-36-0x0000000000400000-0x000000000046F000-memory.dmp upx behavioral1/memory/1336-37-0x0000000000400000-0x000000000046F000-memory.dmp upx behavioral1/memory/1336-38-0x0000000000400000-0x000000000046F000-memory.dmp upx behavioral1/memory/1336-39-0x0000000000400000-0x000000000046F000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\sysn.dll 1c18011c2def0325b221efc7952112f9.exe File opened for modification C:\Windows\SysWOW64\sysn.dll 1c18011c2def0325b221efc7952112f9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeBackupPrivilege 2032 1c18011c2def0325b221efc7952112f9.exe Token: SeRestorePrivilege 2032 1c18011c2def0325b221efc7952112f9.exe Token: SeRestorePrivilege 2032 1c18011c2def0325b221efc7952112f9.exe Token: SeRestorePrivilege 2032 1c18011c2def0325b221efc7952112f9.exe Token: SeRestorePrivilege 2032 1c18011c2def0325b221efc7952112f9.exe Token: SeRestorePrivilege 2032 1c18011c2def0325b221efc7952112f9.exe Token: SeBackupPrivilege 2032 1c18011c2def0325b221efc7952112f9.exe Token: SeRestorePrivilege 2032 1c18011c2def0325b221efc7952112f9.exe Token: SeRestorePrivilege 2032 1c18011c2def0325b221efc7952112f9.exe Token: SeRestorePrivilege 2032 1c18011c2def0325b221efc7952112f9.exe Token: SeRestorePrivilege 2032 1c18011c2def0325b221efc7952112f9.exe Token: SeRestorePrivilege 2032 1c18011c2def0325b221efc7952112f9.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2032 wrote to memory of 2680 2032 1c18011c2def0325b221efc7952112f9.exe 30 PID 2032 wrote to memory of 2680 2032 1c18011c2def0325b221efc7952112f9.exe 30 PID 2032 wrote to memory of 2680 2032 1c18011c2def0325b221efc7952112f9.exe 30 PID 2032 wrote to memory of 2680 2032 1c18011c2def0325b221efc7952112f9.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c18011c2def0325b221efc7952112f9.exe"C:\Users\Admin\AppData\Local\Temp\1c18011c2def0325b221efc7952112f9.exe"1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\1c18011c2def0325b221efc7952112f9.exe"2⤵
- Deletes itself
PID:2680
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k network1⤵
- Loads dropped DLL
PID:1336
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156KB
MD5fd7ff3a505fff9cc75116db3f741ca2e
SHA1eba74aa61621284b7a175e27047359481bad62e7
SHA25644b0885b14c66f550633b47cb60535722b8e9d0690b02bc8a2fd0e9d0a304cda
SHA512f98727b9ac0ee6579149ea4f05cedaa76a9314396819f392c3e72f25c39f186f847952383e725a898366c721d4d37874c289fc7cf2d4e9c1594b573130f28b73