Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/03/2024, 14:05
Static task
static1
Behavioral task
behavioral1
Sample
b251001041fe1c5c47ee953942dcf662.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b251001041fe1c5c47ee953942dcf662.exe
Resource
win10v2004-20240226-en
General
-
Target
b251001041fe1c5c47ee953942dcf662.exe
-
Size
224KB
-
MD5
b251001041fe1c5c47ee953942dcf662
-
SHA1
223ac182c32c524768d18152f86fe47dc0c1e4d7
-
SHA256
97a612d3c4a095e20f2bcea30a62793ca6fe4397b8676aceb8efbcbb13e717e7
-
SHA512
a9a8507e8a1ce1866b8e65a6f8e91b870d9d09d14b5b820513e8e66adebeff4363138d2779eb465fe3ccc19917270794efd33e6db90f71cb0c705d2a2b625e0a
-
SSDEEP
6144:NJiRgUAEzgVVSr9S1OT4PFvILEDEM8mIQQ4z2:NiRMA9RTKFsED51PC
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\System32\\userinit.exe,\"C:\\Users\\Admin\\Favorites\\netservice.exe\"un userinit.exe" b251001041fe1c5c47ee953942dcf662.exe -
ModiLoader Second Stage 12 IoCs
resource yara_rule behavioral1/memory/2156-10-0x0000000013140000-0x00000000131BA000-memory.dmp modiloader_stage2 behavioral1/files/0x0007000000015d20-13.dat modiloader_stage2 behavioral1/memory/2240-16-0x0000000013140000-0x00000000131BA000-memory.dmp modiloader_stage2 behavioral1/memory/2584-15-0x0000000000600000-0x0000000000668000-memory.dmp modiloader_stage2 behavioral1/files/0x0007000000015d20-14.dat modiloader_stage2 behavioral1/memory/2584-17-0x0000000000600000-0x0000000000668000-memory.dmp modiloader_stage2 behavioral1/memory/2584-19-0x0000000000600000-0x0000000000668000-memory.dmp modiloader_stage2 behavioral1/memory/2584-21-0x0000000000600000-0x0000000000668000-memory.dmp modiloader_stage2 behavioral1/memory/2584-23-0x0000000000600000-0x0000000000668000-memory.dmp modiloader_stage2 behavioral1/memory/2584-25-0x0000000000600000-0x0000000000668000-memory.dmp modiloader_stage2 behavioral1/memory/2584-27-0x0000000000600000-0x0000000000668000-memory.dmp modiloader_stage2 behavioral1/memory/2584-29-0x0000000000600000-0x0000000000668000-memory.dmp modiloader_stage2 -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\netrt\Parameters\ServiceDll = "C:\\Windows\\System32\\sysn.dll" b251001041fe1c5c47ee953942dcf662.exe -
Deletes itself 1 IoCs
pid Process 2644 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2156 netservice.exe -
Loads dropped DLL 3 IoCs
pid Process 2240 b251001041fe1c5c47ee953942dcf662.exe 2240 b251001041fe1c5c47ee953942dcf662.exe 2584 svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\sysn.dll b251001041fe1c5c47ee953942dcf662.exe File opened for modification C:\Windows\SysWOW64\sysn.dll b251001041fe1c5c47ee953942dcf662.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2156 2240 b251001041fe1c5c47ee953942dcf662.exe 28 PID 2240 wrote to memory of 2156 2240 b251001041fe1c5c47ee953942dcf662.exe 28 PID 2240 wrote to memory of 2156 2240 b251001041fe1c5c47ee953942dcf662.exe 28 PID 2240 wrote to memory of 2156 2240 b251001041fe1c5c47ee953942dcf662.exe 28 PID 2240 wrote to memory of 2532 2240 b251001041fe1c5c47ee953942dcf662.exe 29 PID 2240 wrote to memory of 2532 2240 b251001041fe1c5c47ee953942dcf662.exe 29 PID 2240 wrote to memory of 2532 2240 b251001041fe1c5c47ee953942dcf662.exe 29 PID 2240 wrote to memory of 2532 2240 b251001041fe1c5c47ee953942dcf662.exe 29 PID 2240 wrote to memory of 2644 2240 b251001041fe1c5c47ee953942dcf662.exe 32 PID 2240 wrote to memory of 2644 2240 b251001041fe1c5c47ee953942dcf662.exe 32 PID 2240 wrote to memory of 2644 2240 b251001041fe1c5c47ee953942dcf662.exe 32 PID 2240 wrote to memory of 2644 2240 b251001041fe1c5c47ee953942dcf662.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\b251001041fe1c5c47ee953942dcf662.exe"C:\Users\Admin\AppData\Local\Temp\b251001041fe1c5c47ee953942dcf662.exe"1⤵
- Modifies WinLogon for persistence
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\Favorites\netservice.exeC:\Users\Admin\Favorites\netservice.exe2⤵
- Executes dropped EXE
PID:2156
-
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\b251001041fe1c5c47ee953942dcf662.exe"2⤵PID:2532
-
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\b251001041fe1c5c47ee953942dcf662.exe"2⤵
- Deletes itself
PID:2644
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k network1⤵
- Loads dropped DLL
PID:2584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD556fbe3205570e6fe6c49dbd3ab98677f
SHA1c7db87b892af2e003fb8ab99221e7737c3d0cf51
SHA25678fd482e735a236883777a514035bb17169bcab8cece4b354d742cbbcaded9c0
SHA5126c02da097c5decc4587003f943f20388e0ee368b0c646cf2211cf30224ff35086f763fa372386ed1d4c09a598bae0efcdc194f44affcbb92afc59d0dcbb38d7e
-
Filesize
224KB
MD5b251001041fe1c5c47ee953942dcf662
SHA1223ac182c32c524768d18152f86fe47dc0c1e4d7
SHA25697a612d3c4a095e20f2bcea30a62793ca6fe4397b8676aceb8efbcbb13e717e7
SHA512a9a8507e8a1ce1866b8e65a6f8e91b870d9d09d14b5b820513e8e66adebeff4363138d2779eb465fe3ccc19917270794efd33e6db90f71cb0c705d2a2b625e0a
-
Filesize
393KB
MD551ce9d0ba81719576e8db8d9a692322a
SHA1a7dbaa43df003658beb71560a0be63494ba29777
SHA2560927ba82f435fcd4f15256092f5f4e730ef713e01c904dbc9b36e4ef6ec92422
SHA5124bd15ba0b19a85f6dac1014704648d67e55176572bfa71c12d91e7771b68a53ef2e8b4a4c662ed86d7fc900891ecce3125d5fd15dd3cc2f9786d570579228cfc