Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/03/2024, 14:05

General

  • Target

    b251001041fe1c5c47ee953942dcf662.exe

  • Size

    224KB

  • MD5

    b251001041fe1c5c47ee953942dcf662

  • SHA1

    223ac182c32c524768d18152f86fe47dc0c1e4d7

  • SHA256

    97a612d3c4a095e20f2bcea30a62793ca6fe4397b8676aceb8efbcbb13e717e7

  • SHA512

    a9a8507e8a1ce1866b8e65a6f8e91b870d9d09d14b5b820513e8e66adebeff4363138d2779eb465fe3ccc19917270794efd33e6db90f71cb0c705d2a2b625e0a

  • SSDEEP

    6144:NJiRgUAEzgVVSr9S1OT4PFvILEDEM8mIQQ4z2:NiRMA9RTKFsED51PC

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • ModiLoader Second Stage 12 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b251001041fe1c5c47ee953942dcf662.exe
    "C:\Users\Admin\AppData\Local\Temp\b251001041fe1c5c47ee953942dcf662.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Sets DLL path for service in the registry
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Users\Admin\Favorites\netservice.exe
      C:\Users\Admin\Favorites\netservice.exe
      2⤵
      • Executes dropped EXE
      PID:2156
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Local\Temp\b251001041fe1c5c47ee953942dcf662.exe"
      2⤵
        PID:2532
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c del "C:\Users\Admin\AppData\Local\Temp\b251001041fe1c5c47ee953942dcf662.exe"
        2⤵
        • Deletes itself
        PID:2644
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k network
      1⤵
      • Loads dropped DLL
      PID:2584

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \??\c:\windows\SysWOW64\sysn.dll

      Filesize

      64KB

      MD5

      56fbe3205570e6fe6c49dbd3ab98677f

      SHA1

      c7db87b892af2e003fb8ab99221e7737c3d0cf51

      SHA256

      78fd482e735a236883777a514035bb17169bcab8cece4b354d742cbbcaded9c0

      SHA512

      6c02da097c5decc4587003f943f20388e0ee368b0c646cf2211cf30224ff35086f763fa372386ed1d4c09a598bae0efcdc194f44affcbb92afc59d0dcbb38d7e

    • \Users\Admin\Favorites\netservice.exe

      Filesize

      224KB

      MD5

      b251001041fe1c5c47ee953942dcf662

      SHA1

      223ac182c32c524768d18152f86fe47dc0c1e4d7

      SHA256

      97a612d3c4a095e20f2bcea30a62793ca6fe4397b8676aceb8efbcbb13e717e7

      SHA512

      a9a8507e8a1ce1866b8e65a6f8e91b870d9d09d14b5b820513e8e66adebeff4363138d2779eb465fe3ccc19917270794efd33e6db90f71cb0c705d2a2b625e0a

    • \Windows\SysWOW64\sysn.dll

      Filesize

      393KB

      MD5

      51ce9d0ba81719576e8db8d9a692322a

      SHA1

      a7dbaa43df003658beb71560a0be63494ba29777

      SHA256

      0927ba82f435fcd4f15256092f5f4e730ef713e01c904dbc9b36e4ef6ec92422

      SHA512

      4bd15ba0b19a85f6dac1014704648d67e55176572bfa71c12d91e7771b68a53ef2e8b4a4c662ed86d7fc900891ecce3125d5fd15dd3cc2f9786d570579228cfc

    • memory/2156-10-0x0000000013140000-0x00000000131BA000-memory.dmp

      Filesize

      488KB

    • memory/2240-16-0x0000000013140000-0x00000000131BA000-memory.dmp

      Filesize

      488KB

    • memory/2584-17-0x0000000000600000-0x0000000000668000-memory.dmp

      Filesize

      416KB

    • memory/2584-15-0x0000000000600000-0x0000000000668000-memory.dmp

      Filesize

      416KB

    • memory/2584-19-0x0000000000600000-0x0000000000668000-memory.dmp

      Filesize

      416KB

    • memory/2584-21-0x0000000000600000-0x0000000000668000-memory.dmp

      Filesize

      416KB

    • memory/2584-23-0x0000000000600000-0x0000000000668000-memory.dmp

      Filesize

      416KB

    • memory/2584-25-0x0000000000600000-0x0000000000668000-memory.dmp

      Filesize

      416KB

    • memory/2584-27-0x0000000000600000-0x0000000000668000-memory.dmp

      Filesize

      416KB

    • memory/2584-29-0x0000000000600000-0x0000000000668000-memory.dmp

      Filesize

      416KB