Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 05:16
Static task
static1
Behavioral task
behavioral1
Sample
29a157fe9d33e9520dd77b8e0dfe6dcd.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
29a157fe9d33e9520dd77b8e0dfe6dcd.exe
Resource
win10v2004-20231215-en
General
-
Target
29a157fe9d33e9520dd77b8e0dfe6dcd.exe
-
Size
499KB
-
MD5
29a157fe9d33e9520dd77b8e0dfe6dcd
-
SHA1
0378da0ae8305b9b54999f3b9e42352ecb464df6
-
SHA256
715bfe03c147757c14e668fa318ef48287fa96ff8eb888431a84500f062ca789
-
SHA512
15f24b270c25022e11ea3b6fdce7b6b6af2f2185d173c49a1bf2a9479801fe326c7df49dbff49d9fce737a43627d3cd9bd22e68851eb1315ec43d898c6aa53f4
-
SSDEEP
12288:RQcRdz8fLCUuoTeAa5tF3Z4mxxnzRwd/2eK+TggG:hdEL6oTe5QmXnz+M5ht
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 8 IoCs
resource yara_rule behavioral1/files/0x000900000001222a-66.dat modiloader_stage2 behavioral1/memory/2604-70-0x0000000000460000-0x00000000004BB000-memory.dmp modiloader_stage2 behavioral1/memory/2084-75-0x0000000000400000-0x00000000004B9000-memory.dmp modiloader_stage2 behavioral1/memory/2604-77-0x0000000000460000-0x00000000004BB000-memory.dmp modiloader_stage2 behavioral1/memory/2604-79-0x0000000000460000-0x00000000004BB000-memory.dmp modiloader_stage2 behavioral1/memory/2604-81-0x0000000000460000-0x00000000004BB000-memory.dmp modiloader_stage2 behavioral1/memory/2604-87-0x0000000000460000-0x00000000004BB000-memory.dmp modiloader_stage2 behavioral1/memory/2604-89-0x0000000000460000-0x00000000004BB000-memory.dmp modiloader_stage2 -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\netctrl\Parameters\ServiceDll = "C:\\Windows\\system32\\sys.dll" 29a157fe9d33e9520dd77b8e0dfe6dcd.exe -
Loads dropped DLL 1 IoCs
pid Process 2604 svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\sys.dll 29a157fe9d33e9520dd77b8e0dfe6dcd.exe File opened for modification C:\Windows\SysWOW64\sys.dll 29a157fe9d33e9520dd77b8e0dfe6dcd.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2084 wrote to memory of 3036 2084 29a157fe9d33e9520dd77b8e0dfe6dcd.exe 29 PID 2084 wrote to memory of 3036 2084 29a157fe9d33e9520dd77b8e0dfe6dcd.exe 29 PID 2084 wrote to memory of 3036 2084 29a157fe9d33e9520dd77b8e0dfe6dcd.exe 29 PID 2084 wrote to memory of 3036 2084 29a157fe9d33e9520dd77b8e0dfe6dcd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\29a157fe9d33e9520dd77b8e0dfe6dcd.exe"C:\Users\Admin\AppData\Local\Temp\29a157fe9d33e9520dd77b8e0dfe6dcd.exe"1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\cmd.execmd /c del2⤵PID:3036
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k remoteservice1⤵
- Loads dropped DLL
PID:2604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
333KB
MD5a0de1d1cfffe0fbcd2d2a2c85d087cc0
SHA1d80e16e1194af186cd25ce5635244fef006a71a9
SHA256860b9788e602dec6c9bd4915602a192d1ff90a42b674273f2f9123ac49aab4d7
SHA512200f5fb9bc3b5e341d6a3d4e12439d36bef82007d11cfc2211696878d4f7d861a7fc998f1394f6a1bbe195e52fcfecbc03afe9ed4238dc309cd8c50f2ed679f5