Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/01/2024, 08:00
Behavioral task
behavioral1
Sample
71b29326e25cd4536eccf0f66c41b229.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
71b29326e25cd4536eccf0f66c41b229.exe
Resource
win10v2004-20231215-en
General
-
Target
71b29326e25cd4536eccf0f66c41b229.exe
-
Size
1.0MB
-
MD5
71b29326e25cd4536eccf0f66c41b229
-
SHA1
10754a00be9726f05671f69d1790a7e797af87ab
-
SHA256
7b9ed8b14141105159a339086596cc103523e615b309e53beb56e68fb82df384
-
SHA512
c290be316da8c240aefdbfc447c673473036a5ed3458b2141f06b0e3309faf0a4b4af385fde8aba0970568f618bd0d0bec44264aef6c0914e76f5f101ffec089
-
SSDEEP
24576:dvVoxa8cIWoSpaBFasuLcdm4RrU9hgauaEZsoVhka20y2o61yMWXQC+aSMysCP4V:ddoxa8cIWoSpaBFasuLcdrrU9hgauaEi
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/3024-35-0x0000000000400000-0x0000000000512000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
pid Process 1700 4300_1.exe 2808 4300_1.exe -
Loads dropped DLL 3 IoCs
pid Process 3024 71b29326e25cd4536eccf0f66c41b229.exe 3024 71b29326e25cd4536eccf0f66c41b229.exe 1700 4300_1.exe -
resource yara_rule behavioral1/files/0x0009000000012252-2.dat upx behavioral1/memory/1700-12-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/1700-31-0x0000000000400000-0x000000000041A000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1700 set thread context of 2808 1700 4300_1.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2808 4300_1.exe 2808 4300_1.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2696 DllHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1700 4300_1.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3024 wrote to memory of 1700 3024 71b29326e25cd4536eccf0f66c41b229.exe 28 PID 3024 wrote to memory of 1700 3024 71b29326e25cd4536eccf0f66c41b229.exe 28 PID 3024 wrote to memory of 1700 3024 71b29326e25cd4536eccf0f66c41b229.exe 28 PID 3024 wrote to memory of 1700 3024 71b29326e25cd4536eccf0f66c41b229.exe 28 PID 1700 wrote to memory of 2808 1700 4300_1.exe 29 PID 1700 wrote to memory of 2808 1700 4300_1.exe 29 PID 1700 wrote to memory of 2808 1700 4300_1.exe 29 PID 1700 wrote to memory of 2808 1700 4300_1.exe 29 PID 1700 wrote to memory of 2808 1700 4300_1.exe 29 PID 1700 wrote to memory of 2808 1700 4300_1.exe 29 PID 1700 wrote to memory of 2808 1700 4300_1.exe 29 PID 1700 wrote to memory of 2808 1700 4300_1.exe 29 PID 2808 wrote to memory of 1284 2808 4300_1.exe 15 PID 2808 wrote to memory of 1284 2808 4300_1.exe 15 PID 2808 wrote to memory of 1284 2808 4300_1.exe 15 PID 2808 wrote to memory of 1284 2808 4300_1.exe 15
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1284
-
C:\Users\Admin\AppData\Local\Temp\71b29326e25cd4536eccf0f66c41b229.exe"C:\Users\Admin\AppData\Local\Temp\71b29326e25cd4536eccf0f66c41b229.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\4300_1.exe"C:\Users\Admin\AppData\Local\Temp\4300_1.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\4300_1.exeC:\Users\Admin\AppData\Local\Temp\4300_1.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2808
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:2696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
998KB
MD558456ce8c188ec2c66c488f5f21e7e4f
SHA1757b7838b29d23ab5e1d00ff513527f51224cd6e
SHA256451009a3c6d006a5108cfef35a0db0bfe7a302f3c24814f55295945b7946b552
SHA51254e8d345ef8e2baf88c13849cd8bfae972ac2b9ecf189e3c22b4be786636528ed8c7f49e65516ea2141e097c5caec6d04f37938afc58e52e11f7867af6380098
-
Filesize
56KB
MD5f675d5cd6440557c1468544f7ef88298
SHA1a71b3c7a8bc4dd41773e93758f34e9b974e1d475
SHA25687aa72f7daf03411bef423c089496e95b7ee54737413b84c666f0c7920932fb6
SHA512f3798fa2b2274063bcfaf16c7a8881e33320faa75a1e2d16b835e0ccfde65182d89b63b047384f4942212132584f349a2c1f80de347a7439805ce81c111616d5