Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

01/03/2024, 15:31

240301-syf2vahd64 10

20/02/2024, 16:00

240220-tfmmcaba5s 10

Analysis

  • max time kernel
    133s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    20/02/2024, 16:00

General

  • Target

    Swift 19022024.bat

  • Size

    2.2MB

  • MD5

    6dc5aa35800875f5e06a20da26286f13

  • SHA1

    b9fbf17b8a2aeae452050b2f660ef8cff024a433

  • SHA256

    db5c362b0b4ec0a9bbc7b2c5a186a22019c82c2a96a7c326fad2e1f095de22db

  • SHA512

    a51120e0800a2694ae14267faf667dc5f37be76bf17bcc042931ef8a1f7f8b38237bf12f441ce3eec7eb4aba15428e3ddcbaa2f23a2944b7f8adbe9c9a5649ab

  • SSDEEP

    24576:RLM2LFX2P6Qv1hhxfAswo1eoKHMX+mIi8g1CLbGBi3oucj+9OtOT+a0sloBJCpDo:RYQSv1fxfAsJ1eoVuSDW0YXEx

Score
10/10

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Program crash 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Swift 19022024.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Windows\system32\cmd.exe
      cmd /c certutil -decodehex "C:\Users\Admin\AppData\Local\Temp\Swift 19022024.bat" "C:\Users\Public\pointer.com" 3
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2676
      • C:\Windows\system32\certutil.exe
        certutil -decodehex "C:\Users\Admin\AppData\Local\Temp\Swift 19022024.bat" "C:\Users\Public\pointer.com" 3
        3⤵
          PID:2716
      • C:\Windows\system32\PING.EXE
        PING -n 3 127.0.0.1
        2⤵
        • Runs ping.exe
        PID:2720
      • C:\Users\Public\pointer.com
        C:\Users\Public\pointer.com
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of WriteProcessMemory
        PID:2988
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 732
          3⤵
          • Loads dropped DLL
          • Program crash
          PID:2660

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\pointer.com

      Filesize

      1.3MB

      MD5

      5e14df714a090c430526a6a3f5ae14a9

      SHA1

      9d30febbb7666626c8c3a917aeccdda79d39f18a

      SHA256

      699a27d39fd0baa6dee651adf1995ca6eb168657b41235fd0d2cd74c738a8cac

      SHA512

      d20540378cf8e76b39beff338de024d9e061a1c84ab5ac2a0033b2b76f5d845234016b35fcdcabb03c049d65f279101a9993a145b369591b4821c880efb70e34

    • memory/2988-3-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

    • memory/2988-4-0x00000000037D0000-0x00000000047D0000-memory.dmp

      Filesize

      16.0MB

    • memory/2988-5-0x00000000037D0000-0x00000000047D0000-memory.dmp

      Filesize

      16.0MB

    • memory/2988-7-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

    • memory/2988-8-0x0000000000400000-0x0000000000558000-memory.dmp

      Filesize

      1.3MB