Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2365e5ae55...e3.exe

windows7-x64

10

2365e5ae55...e3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2023, 01:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2365e5ae55ff69806a18f70f0802d8e3.exe

  • Size

    392KB

  • MD5

    2365e5ae55ff69806a18f70f0802d8e3

  • SHA1

    19f5493319b988c950482f749901846fdb2f676f

  • SHA256

    6e6aef49afd787d07ac598538f2c83e8690a0d7f4a79da6944b2b70e90b1b9eb

  • SHA512

    50dd7a5991592454f2373daf8d5bbd2ebe2bf1fe2097c8c372771a709c2f512ba44709ad8181bf1a9d9a24bbf28dc9591e36fe606d0711231bece4d7e47cf89e

  • SSDEEP

    6144:1bx1JNRm9uXcUy8yp8imvbkaKNjOG6O65s0mjY5WwAYa7zQ07qKLwkaupcP2BJDY:xJNRmOc6fbkvAGpPLjxzUuiPIsBH

Score
10/10
modiloaderpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • ModiLoader Second Stage 12 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2365e5ae55ff69806a18f70f0802d8e3.exe
    "C:\Users\Admin\AppData\Local\Temp\2365e5ae55ff69806a18f70f0802d8e3.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Users\Admin\AppData\Local\Temp\2365e5ae55ff69806a18f70f0802d8e3.exe
      C:\Users\Admin\AppData\Local\Temp\2365e5ae55ff69806a18f70f0802d8e3.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy "C:\Users\Admin\AppData\Local\Temp\2365e5ae55ff69806a18f70f0802d8e3.exe" "C:\Windows\csrss.exe"
        3⤵
        • Drops file in Windows directory
        PID:2784
      • C:\Windows\csrss.exe
        "C:\Windows\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2976
        • C:\Windows\csrss.exe
          C:\Windows\csrss.exe
          4⤵
          • Modifies WinLogon for persistence
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:2596
  • C:\Windows\SysWOW64\drivers\services.exe
    C:\Windows\system32\drivers\services.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetWindowsHookEx
    PID:2800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\kacir.bin
    Filesize

    10KB

    MD5

    ddb56c87d10647289236f9fe752d80cd

    SHA1

    e698b332a1a05bab72eb9f8f25d7e98314ae0124

    SHA256

    bd2e3f399610c873da9bc27204024524f481b10a22947193f6558246f05fae15

    SHA512

    c97e78ca6562a285270966b4af35e5103b8b9005a9c0b7c741cb58b941ab18ce2a6894c06087c0e7e0adae0a36113609583dbdc99a803dba0c63fbe3a768998c

    Download Submit

  • C:\Windows\SysWOW64\Zreload.scr
    Filesize

    14KB

    MD5

    6abb069dc49bd126d961a5f6a86f6476

    SHA1

    ed739f57de5865f50e2d45c6ff561a7dac1d9aba

    SHA256

    5b8472a155319b7efb5c1014ac2e496a5d8d1983cf03c01109e5f9fc84856d11

    SHA512

    eb655772d493654a15a4ac43b5d26d4e17b934e720f0ea434177bf5cb3c4432ce3d0d4e5813b5da7925cedde729305bc4d8cb263ee20e618dc389dbd4bb0a246

    Download Submit

  • C:\Windows\SysWOW64\drivers\services.exe
    Filesize

    17KB

    MD5

    0a1fddec35b3b40756a26c044e22dbe1

    SHA1

    017d4e673666088307951a7cdc7bce85a351faaf

    SHA256

    a8da23fe337876557631d6122ae1ea0ab4fb1fd02f2c2b2c18317b53cd0c81b7

    SHA512

    7a3c30fa5cf5ea19774c094c54627a18beb7f21570710808d1c10e43aebcca654c13192617d027a264807fa4171cb2f52204642fd1be841a15d231bf75cf074b

    Download Submit

  • C:\Windows\csrss.exe
    Filesize

    340KB

    MD5

    92c1e910b7f031a8a0b5cc7190154951

    SHA1

    0b97f4275e5283db5d92dfa2f586b883b6eb84d2

    SHA256

    8b676005fa1a12047a8dea8c003ddda302b175715d9e744fee6b815c8f39782c

    SHA512

    6123858de8a54d1f8df7adbfbab1950d5f593a748d4c66d7f0615e59b688a41503cffc85d87df66f814edb33ab12b1adc58673b5d44f1d53e14ba2ff79ccd856

    Download Submit

  • C:\Windows\csrss.exe
    Filesize

    355KB

    MD5

    45f6cf6fb3320478f178eecbbfbbf12f

    SHA1

    bf1dc79e6ad663d72d0f11143d71769909e7511e

    SHA256

    f6a8ddaa98fd827969282755e0be5bb8fafcba2ca025c92c0853ad961b4f4c06

    SHA512

    419b5763a1bb2db396b1a0706f10fb76c0448ad3c8f1dc6d1b3a526c4fe0415ad17e62ddacde83a348f66aa4d35042c14cc96fe2d97d7fc2b9f56648d63acad4

    Download Submit

  • C:\Windows\csrss.exe
    Filesize

    340KB

    MD5

    75ab8bc25c3308e7486b011efa5124e0

    SHA1

    3e2ab9db6f5bea5a0321d4b40e1d0e3e12b5230a

    SHA256

    e261e6a36eaa7d714653d6fec0109019a58d4756e47682777e6194fa47a8c44b

    SHA512

    4908c79a0ada744ab1a80e89b72b0c3f9490143b3655c20744ea26588b5df7746f80b3ad4eab876ee39e9f4a0100ea0c1d9739c000b01af1eeb3857fc17b2fab

    Download Submit

  • \Users\Admin\AppData\Local\Temp\kacir.dll
    Filesize

    19KB

    MD5

    dda37de6068ad16771e3a6464bb8778b

    SHA1

    903317703bfcd07e9bea7246920de98916017e08

    SHA256

    e5fa2290f69a152c53dec772142ddb3d4c04cb2ee25ad05b0ec97ab202361f11

    SHA512

    1d38ba967b34c6d48b8048bf282484bc6c8d6f3644a127a8102d3edbcf5dd854744da7e8f15b10b93b6124db634a7c891c1c175fca8a7b2e6810fc204132ea05

    Download Submit

  • memory/2404-15-0x0000000000010000-0x0000000000079000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2404-1-0x0000000000010000-0x0000000000079000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2596-47-0x0000000003DC0000-0x0000000003DC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2596-46-0x0000000000460000-0x000000000050A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2596-79-0x0000000000460000-0x000000000050A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2596-86-0x0000000003DC0000-0x0000000003DC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2656-32-0x00000000005B0000-0x000000000065D000-memory.dmp

    Filesize

    692KB

    Download

  • memory/2656-19-0x0000000003DC0000-0x0000000003DC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2656-18-0x0000000000430000-0x00000000004DA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2656-17-0x00000000005B0000-0x000000000065D000-memory.dmp

    Filesize

    692KB

    Download

  • memory/2656-33-0x0000000000430000-0x00000000004DA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2656-16-0x00000000005B0000-0x000000000065D000-memory.dmp

    Filesize

    692KB

    Download

  • memory/2656-12-0x00000000005B0000-0x000000000065D000-memory.dmp

    Filesize

    692KB

    Download

  • memory/2656-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2656-8-0x00000000005B0000-0x000000000065D000-memory.dmp

    Filesize

    692KB

    Download

  • memory/2800-71-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2976-44-0x0000000000010000-0x0000000000079000-memory.dmp

    Filesize

    420KB

    Download