Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
18/01/2024, 19:23
Behavioral task
behavioral1
Sample
65d675c2b2ddaa5d4cd9e664e828ff6f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
65d675c2b2ddaa5d4cd9e664e828ff6f.exe
Resource
win10v2004-20231215-en
General
-
Target
65d675c2b2ddaa5d4cd9e664e828ff6f.exe
-
Size
396KB
-
MD5
65d675c2b2ddaa5d4cd9e664e828ff6f
-
SHA1
83b851d4948d2b2e816d7b37243b6040cb876e87
-
SHA256
23510e22393982e935093cce2d34e81ec14f75a63a19d4ffd64680bfe0a03df8
-
SHA512
c1a12132bed35086df3cf59a97e6b8ca18a62ddaa440b101e3467d703eef5eb80b3ee26c251ad045a49d5719aecfa48ef1959311c5137ea34e89c51b2f629287
-
SSDEEP
6144:1E9yDzN5oqKVsJAC328uO6s1wQW877buWxjy/qj+aA/pa:yEDJ5ofs9BuOB1wQW87XuWxM
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/2232-0-0x0000000006200000-0x0000000006268000-memory.dmp modiloader_stage2 -
Program crash 1 IoCs
pid pid_target Process procid_target 928 2232 WerFault.exe 27 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2232 wrote to memory of 928 2232 65d675c2b2ddaa5d4cd9e664e828ff6f.exe 28 PID 2232 wrote to memory of 928 2232 65d675c2b2ddaa5d4cd9e664e828ff6f.exe 28 PID 2232 wrote to memory of 928 2232 65d675c2b2ddaa5d4cd9e664e828ff6f.exe 28 PID 2232 wrote to memory of 928 2232 65d675c2b2ddaa5d4cd9e664e828ff6f.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\65d675c2b2ddaa5d4cd9e664e828ff6f.exe"C:\Users\Admin\AppData\Local\Temp\65d675c2b2ddaa5d4cd9e664e828ff6f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1602⤵
- Program crash
PID:928
-