Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20/02/2024, 16:00
Static task
static1
Behavioral task
behavioral1
Sample
Swift 19022024.bat
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Swift 19022024.bat
Resource
win10v2004-20240220-en
General
-
Target
Swift 19022024.bat
-
Size
2.2MB
-
MD5
6dc5aa35800875f5e06a20da26286f13
-
SHA1
b9fbf17b8a2aeae452050b2f660ef8cff024a433
-
SHA256
db5c362b0b4ec0a9bbc7b2c5a186a22019c82c2a96a7c326fad2e1f095de22db
-
SHA512
a51120e0800a2694ae14267faf667dc5f37be76bf17bcc042931ef8a1f7f8b38237bf12f441ce3eec7eb4aba15428e3ddcbaa2f23a2944b7f8adbe9c9a5649ab
-
SSDEEP
24576:RLM2LFX2P6Qv1hhxfAswo1eoKHMX+mIi8g1CLbGBi3oucj+9OtOT+a0sloBJCpDo:RYQSv1fxfAsJ1eoVuSDW0YXEx
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/2988-5-0x00000000037D0000-0x00000000047D0000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 2988 pointer.com -
Loads dropped DLL 2 IoCs
pid Process 2660 WerFault.exe 2660 WerFault.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2660 2988 WerFault.exe 32 -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2720 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2988 pointer.com -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2904 wrote to memory of 2676 2904 cmd.exe 29 PID 2904 wrote to memory of 2676 2904 cmd.exe 29 PID 2904 wrote to memory of 2676 2904 cmd.exe 29 PID 2676 wrote to memory of 2716 2676 cmd.exe 30 PID 2676 wrote to memory of 2716 2676 cmd.exe 30 PID 2676 wrote to memory of 2716 2676 cmd.exe 30 PID 2904 wrote to memory of 2720 2904 cmd.exe 31 PID 2904 wrote to memory of 2720 2904 cmd.exe 31 PID 2904 wrote to memory of 2720 2904 cmd.exe 31 PID 2904 wrote to memory of 2988 2904 cmd.exe 32 PID 2904 wrote to memory of 2988 2904 cmd.exe 32 PID 2904 wrote to memory of 2988 2904 cmd.exe 32 PID 2904 wrote to memory of 2988 2904 cmd.exe 32 PID 2988 wrote to memory of 2660 2988 pointer.com 33 PID 2988 wrote to memory of 2660 2988 pointer.com 33 PID 2988 wrote to memory of 2660 2988 pointer.com 33 PID 2988 wrote to memory of 2660 2988 pointer.com 33
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Swift 19022024.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\system32\cmd.execmd /c certutil -decodehex "C:\Users\Admin\AppData\Local\Temp\Swift 19022024.bat" "C:\Users\Public\pointer.com" 32⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\system32\certutil.execertutil -decodehex "C:\Users\Admin\AppData\Local\Temp\Swift 19022024.bat" "C:\Users\Public\pointer.com" 33⤵PID:2716
-
-
-
C:\Windows\system32\PING.EXEPING -n 3 127.0.0.12⤵
- Runs ping.exe
PID:2720
-
-
C:\Users\Public\pointer.comC:\Users\Public\pointer.com2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 7323⤵
- Loads dropped DLL
- Program crash
PID:2660
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD55e14df714a090c430526a6a3f5ae14a9
SHA19d30febbb7666626c8c3a917aeccdda79d39f18a
SHA256699a27d39fd0baa6dee651adf1995ca6eb168657b41235fd0d2cd74c738a8cac
SHA512d20540378cf8e76b39beff338de024d9e061a1c84ab5ac2a0033b2b76f5d845234016b35fcdcabb03c049d65f279101a9993a145b369591b4821c880efb70e34