Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
14/02/2024, 19:03
Static task
static1
Behavioral task
behavioral1
Sample
9c6737753b3e1fc85c9d76634985c63c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
9c6737753b3e1fc85c9d76634985c63c.exe
Resource
win10v2004-20231222-en
General
-
Target
9c6737753b3e1fc85c9d76634985c63c.exe
-
Size
60KB
-
MD5
9c6737753b3e1fc85c9d76634985c63c
-
SHA1
c01154959a7478c76637bc2f2e5f866f5a8b863a
-
SHA256
1932a5b773cdd7678ccc122ebb9d5f7c70455f5800c20e3ba39700ed73b5569c
-
SHA512
23b63ad778be126be6500a09e19bc3fcf14551f3db980fd951f867684a4f462451ea638bda3345369e5c820765ab5ecb56143adb85d4b4b43da52c75c963e93e
-
SSDEEP
1536:xm7wjsVTJ+p3JrkGLawHE/E2j+EDmDZIYcSCggVLkX:e+sVT45mn/bjncZIHlkX
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral1/memory/2276-2-0x0000000000400000-0x000000000042102F-memory.dmp modiloader_stage2 behavioral1/files/0x000a000000012022-4.dat modiloader_stage2 behavioral1/files/0x000b000000015c1b-8.dat modiloader_stage2 -
Executes dropped EXE 2 IoCs
pid Process 1988 temp.exe 2716 tcpip.exe -
Loads dropped DLL 2 IoCs
pid Process 2452 cmd.exe 2452 cmd.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\tcpip.exe temp.exe File opened for modification C:\Windows\SysWOW64\tcpip.exe temp.exe File created C:\Windows\SysWOW64\kkkkkkk.bat temp.exe File created C:\Windows\SysWOW64\wwinsystem.dll tcpip.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2276 9c6737753b3e1fc85c9d76634985c63c.exe 2276 9c6737753b3e1fc85c9d76634985c63c.exe 1988 temp.exe 1988 temp.exe 1988 temp.exe 1988 temp.exe 2716 tcpip.exe 2716 tcpip.exe 2716 tcpip.exe 2716 tcpip.exe 1988 temp.exe 1988 temp.exe 1988 temp.exe 1988 temp.exe 2716 tcpip.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1988 temp.exe Token: SeDebugPrivilege 2716 tcpip.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2276 wrote to memory of 2452 2276 9c6737753b3e1fc85c9d76634985c63c.exe 28 PID 2276 wrote to memory of 2452 2276 9c6737753b3e1fc85c9d76634985c63c.exe 28 PID 2276 wrote to memory of 2452 2276 9c6737753b3e1fc85c9d76634985c63c.exe 28 PID 2276 wrote to memory of 2452 2276 9c6737753b3e1fc85c9d76634985c63c.exe 28 PID 2452 wrote to memory of 1988 2452 cmd.exe 30 PID 2452 wrote to memory of 1988 2452 cmd.exe 30 PID 2452 wrote to memory of 1988 2452 cmd.exe 30 PID 2452 wrote to memory of 1988 2452 cmd.exe 30 PID 1988 wrote to memory of 2728 1988 temp.exe 32 PID 1988 wrote to memory of 2728 1988 temp.exe 32 PID 1988 wrote to memory of 2728 1988 temp.exe 32 PID 1988 wrote to memory of 2728 1988 temp.exe 32 PID 2716 wrote to memory of 1420 2716 tcpip.exe 15
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\9c6737753b3e1fc85c9d76634985c63c.exe"C:\Users\Admin\AppData\Local\Temp\9c6737753b3e1fc85c9d76634985c63c.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\temp.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\temp.exeC:\Users\Admin\AppData\Local\Temp\temp.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\kkkkkkk.bat5⤵PID:2728
-
-
-
-
-
C:\Windows\SysWOW64\tcpip.exeC:\Windows\SysWOW64\tcpip.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD516d2f9658105b8a4d0e0adeaa483c87d
SHA1bb455cdee07ef159cc1c4bc840956f1deb4ddae2
SHA256f2ee14821043dfbce62daac61fe27ec9ed03afb395ffd85cdb59063d492784fb
SHA5124e15d7db9edd3cf79e75df0665ef237cb4c9ceac250f86e51fdc35115a70b37243532f8e7adb6174a6600dfe5c8b363781ebed3c97a354bd42cb2769d3b6c815
-
Filesize
134B
MD58fd6d636cdee10d04a8a03a03ec2721f
SHA1c1b84a770ef314e4b8b3db64e39631e5d17ea4bc
SHA256b61a18a227dad25d44c88dc31ec845c532bdb8290fd93549b5c39d85f60eb66b
SHA5120771e0ea8dddd230e27fdd0a4052bcc0c736331bf7a1473715da2f157100b548221d32e20aabfdd3bffdca9fe9fde2ee5d1fe37dec1ffed804440c84ca5348cd
-
Filesize
19KB
MD5029ec12148b611cff71c560fc783688b
SHA15177e408c29f20ca2f1849ed0f7aef583b687dde
SHA256f5f3bd142c69756a64bd325e2935a17424a510201ddf5ac79cba8c540491d9fb
SHA512886ef214ba57fbc7f5886bfa2324c36994955c9a61a65fee541167417b983f1c4355dd6b231f6db3636a6c9b9ae8a33b5e71f8403cbf209a77f05a85e40ea2fe