Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29/01/2024, 00:11
Behavioral task
behavioral1
Sample
7e5ed0f125ebcfccc4c256c1b753e367.exe
Resource
win7-20231215-en
General
-
Target
7e5ed0f125ebcfccc4c256c1b753e367.exe
-
Size
999KB
-
MD5
7e5ed0f125ebcfccc4c256c1b753e367
-
SHA1
c4ab02cfae62e0ab4932233f7397f41057bf362c
-
SHA256
ea6b7a5a586cff0836c14018509e93ddcf75b524694c2a6bda166efd1d86f9c9
-
SHA512
d2f2a31df5a11a6c52038d06dfbd2b57656e8fe51cd505bbf8abc204b6f733a4e085ff1267b5e7a48e46b73c4f03e712fbb603dea54a3fd6532988164d11ca82
-
SSDEEP
24576:ThAyNr5Xk6cJvH3scLUwo6ZEjmW0cfU43dzux:WyNr+6cdpo1mwc43Bu
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
ModiLoader Second Stage 21 IoCs
resource yara_rule behavioral1/memory/2192-1-0x0000000000400000-0x00000000004FC000-memory.dmp modiloader_stage2 behavioral1/memory/2192-22-0x0000000000400000-0x00000000004FC000-memory.dmp modiloader_stage2 behavioral1/memory/2192-32-0x0000000000400000-0x00000000004FC000-memory.dmp modiloader_stage2 behavioral1/memory/1620-39-0x0000000000400000-0x00000000004FC000-memory.dmp modiloader_stage2 behavioral1/memory/1620-65-0x00000000766D0000-0x00000000767C0000-memory.dmp modiloader_stage2 behavioral1/memory/1620-72-0x0000000000400000-0x00000000004FC000-memory.dmp modiloader_stage2 behavioral1/memory/1620-73-0x0000000000400000-0x00000000004FC000-memory.dmp modiloader_stage2 behavioral1/memory/1620-74-0x0000000000400000-0x00000000004FC000-memory.dmp modiloader_stage2 behavioral1/memory/1620-75-0x0000000000400000-0x00000000004FC000-memory.dmp modiloader_stage2 behavioral1/memory/1620-76-0x00000000766D0000-0x00000000767C0000-memory.dmp modiloader_stage2 behavioral1/memory/1620-77-0x0000000000400000-0x00000000004FC000-memory.dmp modiloader_stage2 behavioral1/memory/1620-78-0x0000000000400000-0x00000000004FC000-memory.dmp modiloader_stage2 behavioral1/memory/1620-80-0x0000000000400000-0x00000000004FC000-memory.dmp modiloader_stage2 behavioral1/memory/1620-81-0x0000000000400000-0x00000000004FC000-memory.dmp modiloader_stage2 behavioral1/memory/1620-82-0x0000000000400000-0x00000000004FC000-memory.dmp modiloader_stage2 behavioral1/memory/1620-83-0x0000000000400000-0x00000000004FC000-memory.dmp modiloader_stage2 behavioral1/memory/1620-84-0x0000000000400000-0x00000000004FC000-memory.dmp modiloader_stage2 behavioral1/memory/1620-85-0x0000000000400000-0x00000000004FC000-memory.dmp modiloader_stage2 behavioral1/memory/1620-86-0x0000000000400000-0x00000000004FC000-memory.dmp modiloader_stage2 behavioral1/memory/1620-87-0x0000000000400000-0x00000000004FC000-memory.dmp modiloader_stage2 behavioral1/memory/1620-88-0x0000000000400000-0x00000000004FC000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
pid Process 1620 mstwain32.exe -
Executes dropped EXE 1 IoCs
pid Process 1620 mstwain32.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Wine mstwain32.exe Key opened \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Wine 7e5ed0f125ebcfccc4c256c1b753e367.exe -
resource yara_rule behavioral1/memory/2192-0-0x0000000000400000-0x00000000004FC000-memory.dmp themida behavioral1/memory/2192-1-0x0000000000400000-0x00000000004FC000-memory.dmp themida behavioral1/memory/2192-22-0x0000000000400000-0x00000000004FC000-memory.dmp themida behavioral1/memory/2192-32-0x0000000000400000-0x00000000004FC000-memory.dmp themida behavioral1/files/0x00060000000055de-29.dat themida behavioral1/memory/1620-35-0x0000000000400000-0x00000000004FC000-memory.dmp themida behavioral1/memory/1620-39-0x0000000000400000-0x00000000004FC000-memory.dmp themida behavioral1/memory/1620-65-0x00000000766D0000-0x00000000767C0000-memory.dmp themida behavioral1/memory/1620-72-0x0000000000400000-0x00000000004FC000-memory.dmp themida behavioral1/memory/1620-73-0x0000000000400000-0x00000000004FC000-memory.dmp themida behavioral1/memory/1620-74-0x0000000000400000-0x00000000004FC000-memory.dmp themida behavioral1/memory/1620-75-0x0000000000400000-0x00000000004FC000-memory.dmp themida behavioral1/memory/1620-77-0x0000000000400000-0x00000000004FC000-memory.dmp themida behavioral1/memory/1620-78-0x0000000000400000-0x00000000004FC000-memory.dmp themida behavioral1/memory/1620-80-0x0000000000400000-0x00000000004FC000-memory.dmp themida behavioral1/memory/1620-81-0x0000000000400000-0x00000000004FC000-memory.dmp themida behavioral1/memory/1620-82-0x0000000000400000-0x00000000004FC000-memory.dmp themida behavioral1/memory/1620-83-0x0000000000400000-0x00000000004FC000-memory.dmp themida behavioral1/memory/1620-84-0x0000000000400000-0x00000000004FC000-memory.dmp themida behavioral1/memory/1620-85-0x0000000000400000-0x00000000004FC000-memory.dmp themida behavioral1/memory/1620-86-0x0000000000400000-0x00000000004FC000-memory.dmp themida behavioral1/memory/1620-87-0x0000000000400000-0x00000000004FC000-memory.dmp themida behavioral1/memory/1620-88-0x0000000000400000-0x00000000004FC000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe" mstwain32.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7e5ed0f125ebcfccc4c256c1b753e367.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstwain32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2192 7e5ed0f125ebcfccc4c256c1b753e367.exe 1620 mstwain32.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\mstwain32.exe 7e5ed0f125ebcfccc4c256c1b753e367.exe File opened for modification C:\Windows\mstwain32.exe 7e5ed0f125ebcfccc4c256c1b753e367.exe File created C:\Windows\ntdtcstp.dll mstwain32.exe File created C:\Windows\cmsetac.dll mstwain32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2192 7e5ed0f125ebcfccc4c256c1b753e367.exe 1620 mstwain32.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2192 7e5ed0f125ebcfccc4c256c1b753e367.exe Token: SeBackupPrivilege 2608 vssvc.exe Token: SeRestorePrivilege 2608 vssvc.exe Token: SeAuditPrivilege 2608 vssvc.exe Token: SeDebugPrivilege 1620 mstwain32.exe Token: SeDebugPrivilege 1620 mstwain32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1620 mstwain32.exe 1620 mstwain32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2192 wrote to memory of 1620 2192 7e5ed0f125ebcfccc4c256c1b753e367.exe 31 PID 2192 wrote to memory of 1620 2192 7e5ed0f125ebcfccc4c256c1b753e367.exe 31 PID 2192 wrote to memory of 1620 2192 7e5ed0f125ebcfccc4c256c1b753e367.exe 31 PID 2192 wrote to memory of 1620 2192 7e5ed0f125ebcfccc4c256c1b753e367.exe 31 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e5ed0f125ebcfccc4c256c1b753e367.exe"C:\Users\Admin\AppData\Local\Temp\7e5ed0f125ebcfccc4c256c1b753e367.exe"1⤵
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\7e5ed0f125ebcfccc4c256c1b753e367.exe"2⤵
- UAC bypass
- Deletes itself
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1620
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
999KB
MD57e5ed0f125ebcfccc4c256c1b753e367
SHA1c4ab02cfae62e0ab4932233f7397f41057bf362c
SHA256ea6b7a5a586cff0836c14018509e93ddcf75b524694c2a6bda166efd1d86f9c9
SHA512d2f2a31df5a11a6c52038d06dfbd2b57656e8fe51cd505bbf8abc204b6f733a4e085ff1267b5e7a48e46b73c4f03e712fbb603dea54a3fd6532988164d11ca82