Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

9c6737753b...3c.exe

windows7-x64

10

9c6737753b...3c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/02/2024, 19:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9c6737753b3e1fc85c9d76634985c63c.exe

  • Size

    60KB

  • MD5

    9c6737753b3e1fc85c9d76634985c63c

  • SHA1

    c01154959a7478c76637bc2f2e5f866f5a8b863a

  • SHA256

    1932a5b773cdd7678ccc122ebb9d5f7c70455f5800c20e3ba39700ed73b5569c

  • SHA512

    23b63ad778be126be6500a09e19bc3fcf14551f3db980fd951f867684a4f462451ea638bda3345369e5c820765ab5ecb56143adb85d4b4b43da52c75c963e93e

  • SSDEEP

    1536:xm7wjsVTJ+p3JrkGLawHE/E2j+EDmDZIYcSCggVLkX:e+sVT45mn/bjncZIHlkX

Score
10/10
modiloadertrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3556
      • C:\Users\Admin\AppData\Local\Temp\9c6737753b3e1fc85c9d76634985c63c.exe
        "C:\Users\Admin\AppData\Local\Temp\9c6737753b3e1fc85c9d76634985c63c.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:680
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\temp.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2900
          • C:\Users\Admin\AppData\Local\Temp\temp.exe
            C:\Users\Admin\AppData\Local\Temp\temp.exe
            4⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4616
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Windows\system32\kkkkkkk.bat
              5⤵
                PID:3760
      • C:\Windows\SysWOW64\tcpip.exe
        C:\Windows\SysWOW64\tcpip.exe
        1⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1380

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\temp.exe
        Filesize

        44KB

        MD5

        16d2f9658105b8a4d0e0adeaa483c87d

        SHA1

        bb455cdee07ef159cc1c4bc840956f1deb4ddae2

        SHA256

        f2ee14821043dfbce62daac61fe27ec9ed03afb395ffd85cdb59063d492784fb

        SHA512

        4e15d7db9edd3cf79e75df0665ef237cb4c9ceac250f86e51fdc35115a70b37243532f8e7adb6174a6600dfe5c8b363781ebed3c97a354bd42cb2769d3b6c815

        Download Submit

      • C:\Windows\SysWOW64\kkkkkkk.bat
        Filesize

        134B

        MD5

        8fd6d636cdee10d04a8a03a03ec2721f

        SHA1

        c1b84a770ef314e4b8b3db64e39631e5d17ea4bc

        SHA256

        b61a18a227dad25d44c88dc31ec845c532bdb8290fd93549b5c39d85f60eb66b

        SHA512

        0771e0ea8dddd230e27fdd0a4052bcc0c736331bf7a1473715da2f157100b548221d32e20aabfdd3bffdca9fe9fde2ee5d1fe37dec1ffed804440c84ca5348cd

        Download Submit

      • memory/680-0-0x0000000000400000-0x000000000042102F-memory.dmp

        Filesize

        132KB

        Download

      • memory/680-2-0x0000000000400000-0x000000000042102F-memory.dmp

        Filesize

        132KB

        Download