Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 01:50
Behavioral task
behavioral1
Sample
2365e5ae55ff69806a18f70f0802d8e3.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2365e5ae55ff69806a18f70f0802d8e3.exe
Resource
win10v2004-20231222-en
General
-
Target
2365e5ae55ff69806a18f70f0802d8e3.exe
-
Size
392KB
-
MD5
2365e5ae55ff69806a18f70f0802d8e3
-
SHA1
19f5493319b988c950482f749901846fdb2f676f
-
SHA256
6e6aef49afd787d07ac598538f2c83e8690a0d7f4a79da6944b2b70e90b1b9eb
-
SHA512
50dd7a5991592454f2373daf8d5bbd2ebe2bf1fe2097c8c372771a709c2f512ba44709ad8181bf1a9d9a24bbf28dc9591e36fe606d0711231bece4d7e47cf89e
-
SSDEEP
6144:1bx1JNRm9uXcUy8yp8imvbkaKNjOG6O65s0mjY5WwAYa7zQ07qKLwkaupcP2BJDY:xJNRmOc6fbkvAGpPLjxzUuiPIsBH
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe ZReload.scr" csrss.exe -
ModiLoader Second Stage 10 IoCs
resource yara_rule behavioral2/memory/8-0-0x0000000000010000-0x0000000000079000-memory.dmp modiloader_stage2 behavioral2/memory/3576-13-0x00000000021F0000-0x000000000229A000-memory.dmp modiloader_stage2 behavioral2/memory/8-10-0x0000000000010000-0x0000000000079000-memory.dmp modiloader_stage2 behavioral2/files/0x00080000000231f7-6.dat modiloader_stage2 behavioral2/files/0x0006000000023209-17.dat modiloader_stage2 behavioral2/memory/4800-37-0x00000000025A0000-0x000000000264A000-memory.dmp modiloader_stage2 behavioral2/memory/1816-34-0x0000000000010000-0x0000000000079000-memory.dmp modiloader_stage2 behavioral2/memory/3576-27-0x00000000021F0000-0x000000000229A000-memory.dmp modiloader_stage2 behavioral2/files/0x00080000000231f7-22.dat modiloader_stage2 behavioral2/memory/4800-72-0x00000000025A0000-0x000000000264A000-memory.dmp modiloader_stage2 -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\services.exe csrss.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 2365e5ae55ff69806a18f70f0802d8e3.exe -
Executes dropped EXE 3 IoCs
pid Process 1816 csrss.exe 4800 csrss.exe 4020 services.exe -
Loads dropped DLL 4 IoCs
pid Process 8 2365e5ae55ff69806a18f70f0802d8e3.exe 8 2365e5ae55ff69806a18f70f0802d8e3.exe 1816 csrss.exe 1816 csrss.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\rlog.dllx csrss.exe File opened for modification C:\Windows\SysWOW64\ZReload.scr csrss.exe File created C:\Windows\SysWOW64\ZReload.scrx csrss.exe File created C:\Windows\SysWOW64\Zreload.scr csrss.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1816 set thread context of 4800 1816 csrss.exe 94 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\csrss.exe cmd.exe File opened for modification C:\Windows\csrss.exe cmd.exe File opened for modification C:\Windows\csrss.exe csrss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4020 services.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 8 wrote to memory of 3576 8 2365e5ae55ff69806a18f70f0802d8e3.exe 92 PID 8 wrote to memory of 3576 8 2365e5ae55ff69806a18f70f0802d8e3.exe 92 PID 8 wrote to memory of 3576 8 2365e5ae55ff69806a18f70f0802d8e3.exe 92 PID 8 wrote to memory of 3576 8 2365e5ae55ff69806a18f70f0802d8e3.exe 92 PID 8 wrote to memory of 3576 8 2365e5ae55ff69806a18f70f0802d8e3.exe 92 PID 3576 wrote to memory of 4744 3576 2365e5ae55ff69806a18f70f0802d8e3.exe 91 PID 3576 wrote to memory of 4744 3576 2365e5ae55ff69806a18f70f0802d8e3.exe 91 PID 3576 wrote to memory of 4744 3576 2365e5ae55ff69806a18f70f0802d8e3.exe 91 PID 3576 wrote to memory of 1816 3576 2365e5ae55ff69806a18f70f0802d8e3.exe 95 PID 3576 wrote to memory of 1816 3576 2365e5ae55ff69806a18f70f0802d8e3.exe 95 PID 3576 wrote to memory of 1816 3576 2365e5ae55ff69806a18f70f0802d8e3.exe 95 PID 1816 wrote to memory of 4800 1816 csrss.exe 94 PID 1816 wrote to memory of 4800 1816 csrss.exe 94 PID 1816 wrote to memory of 4800 1816 csrss.exe 94 PID 1816 wrote to memory of 4800 1816 csrss.exe 94 PID 1816 wrote to memory of 4800 1816 csrss.exe 94 PID 4800 wrote to memory of 4020 4800 csrss.exe 93 PID 4800 wrote to memory of 4020 4800 csrss.exe 93 PID 4800 wrote to memory of 4020 4800 csrss.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\2365e5ae55ff69806a18f70f0802d8e3.exe"C:\Users\Admin\AppData\Local\Temp\2365e5ae55ff69806a18f70f0802d8e3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Users\Admin\AppData\Local\Temp\2365e5ae55ff69806a18f70f0802d8e3.exeC:\Users\Admin\AppData\Local\Temp\2365e5ae55ff69806a18f70f0802d8e3.exe2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\csrss.exe"C:\Windows\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1816
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy "C:\Users\Admin\AppData\Local\Temp\2365e5ae55ff69806a18f70f0802d8e3.exe" "C:\Windows\csrss.exe"1⤵
- Drops file in Windows directory
PID:4744
-
C:\Windows\SysWOW64\drivers\services.exeC:\Windows\system32\drivers\services.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4020
-
C:\Windows\csrss.exeC:\Windows\csrss.exe1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5ddb56c87d10647289236f9fe752d80cd
SHA1e698b332a1a05bab72eb9f8f25d7e98314ae0124
SHA256bd2e3f399610c873da9bc27204024524f481b10a22947193f6558246f05fae15
SHA512c97e78ca6562a285270966b4af35e5103b8b9005a9c0b7c741cb58b941ab18ce2a6894c06087c0e7e0adae0a36113609583dbdc99a803dba0c63fbe3a768998c
-
Filesize
19KB
MD5dda37de6068ad16771e3a6464bb8778b
SHA1903317703bfcd07e9bea7246920de98916017e08
SHA256e5fa2290f69a152c53dec772142ddb3d4c04cb2ee25ad05b0ec97ab202361f11
SHA5121d38ba967b34c6d48b8048bf282484bc6c8d6f3644a127a8102d3edbcf5dd854744da7e8f15b10b93b6124db634a7c891c1c175fca8a7b2e6810fc204132ea05
-
Filesize
381KB
MD5e5b8f91de46817f551b5c876a346f967
SHA145b4fe598ec687291c390ee7b636cbb94b03e1ba
SHA2564e8944dc4995a717bcf9437a4f47c52eded0d90de94d025c6cfc87e29fed3773
SHA512bf01b5b31abd2d92fc18ab55fe155fa70522fa6927348115b4c12ed94288cca5e00b12f5a4d1d4f96c92473039ad37d9c14f4c54acacb305325418ec8275913d