Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/03/2024, 14:05
Static task
static1
Behavioral task
behavioral1
Sample
b251001041fe1c5c47ee953942dcf662.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b251001041fe1c5c47ee953942dcf662.exe
Resource
win10v2004-20240226-en
General
-
Target
b251001041fe1c5c47ee953942dcf662.exe
-
Size
224KB
-
MD5
b251001041fe1c5c47ee953942dcf662
-
SHA1
223ac182c32c524768d18152f86fe47dc0c1e4d7
-
SHA256
97a612d3c4a095e20f2bcea30a62793ca6fe4397b8676aceb8efbcbb13e717e7
-
SHA512
a9a8507e8a1ce1866b8e65a6f8e91b870d9d09d14b5b820513e8e66adebeff4363138d2779eb465fe3ccc19917270794efd33e6db90f71cb0c705d2a2b625e0a
-
SSDEEP
6144:NJiRgUAEzgVVSr9S1OT4PFvILEDEM8mIQQ4z2:NiRMA9RTKFsED51PC
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\System32\\userinit.exe,\"C:\\Users\\Admin\\Favorites\\netservice.exe\"un userinit.exe" b251001041fe1c5c47ee953942dcf662.exe -
ModiLoader Second Stage 9 IoCs
resource yara_rule behavioral2/memory/2792-8-0x0000000013140000-0x00000000131BA000-memory.dmp modiloader_stage2 behavioral2/files/0x000a0000000231d7-9.dat modiloader_stage2 behavioral2/memory/3720-11-0x0000000013140000-0x00000000131BA000-memory.dmp modiloader_stage2 behavioral2/memory/2484-12-0x0000000000400000-0x0000000000468000-memory.dmp modiloader_stage2 behavioral2/memory/2484-14-0x0000000000400000-0x0000000000468000-memory.dmp modiloader_stage2 behavioral2/memory/2484-16-0x0000000000400000-0x0000000000468000-memory.dmp modiloader_stage2 behavioral2/memory/2484-18-0x0000000000400000-0x0000000000468000-memory.dmp modiloader_stage2 behavioral2/memory/2484-20-0x0000000000400000-0x0000000000468000-memory.dmp modiloader_stage2 behavioral2/memory/2484-23-0x0000000000400000-0x0000000000468000-memory.dmp modiloader_stage2 -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\netrt\Parameters\ServiceDll = "C:\\Windows\\System32\\sysn.dll" b251001041fe1c5c47ee953942dcf662.exe -
Executes dropped EXE 1 IoCs
pid Process 2792 netservice.exe -
Loads dropped DLL 1 IoCs
pid Process 2484 svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\sysn.dll b251001041fe1c5c47ee953942dcf662.exe File opened for modification C:\Windows\SysWOW64\sysn.dll b251001041fe1c5c47ee953942dcf662.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3720 wrote to memory of 2792 3720 b251001041fe1c5c47ee953942dcf662.exe 91 PID 3720 wrote to memory of 2792 3720 b251001041fe1c5c47ee953942dcf662.exe 91 PID 3720 wrote to memory of 2792 3720 b251001041fe1c5c47ee953942dcf662.exe 91 PID 3720 wrote to memory of 556 3720 b251001041fe1c5c47ee953942dcf662.exe 92 PID 3720 wrote to memory of 556 3720 b251001041fe1c5c47ee953942dcf662.exe 92 PID 3720 wrote to memory of 556 3720 b251001041fe1c5c47ee953942dcf662.exe 92 PID 3720 wrote to memory of 2020 3720 b251001041fe1c5c47ee953942dcf662.exe 95 PID 3720 wrote to memory of 2020 3720 b251001041fe1c5c47ee953942dcf662.exe 95 PID 3720 wrote to memory of 2020 3720 b251001041fe1c5c47ee953942dcf662.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\b251001041fe1c5c47ee953942dcf662.exe"C:\Users\Admin\AppData\Local\Temp\b251001041fe1c5c47ee953942dcf662.exe"1⤵
- Modifies WinLogon for persistence
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Users\Admin\Favorites\netservice.exeC:\Users\Admin\Favorites\netservice.exe2⤵
- Executes dropped EXE
PID:2792
-
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\b251001041fe1c5c47ee953942dcf662.exe"2⤵PID:556
-
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\b251001041fe1c5c47ee953942dcf662.exe"2⤵PID:2020
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k network1⤵
- Loads dropped DLL
PID:2484
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD5b251001041fe1c5c47ee953942dcf662
SHA1223ac182c32c524768d18152f86fe47dc0c1e4d7
SHA25697a612d3c4a095e20f2bcea30a62793ca6fe4397b8676aceb8efbcbb13e717e7
SHA512a9a8507e8a1ce1866b8e65a6f8e91b870d9d09d14b5b820513e8e66adebeff4363138d2779eb465fe3ccc19917270794efd33e6db90f71cb0c705d2a2b625e0a
-
Filesize
393KB
MD551ce9d0ba81719576e8db8d9a692322a
SHA1a7dbaa43df003658beb71560a0be63494ba29777
SHA2560927ba82f435fcd4f15256092f5f4e730ef713e01c904dbc9b36e4ef6ec92422
SHA5124bd15ba0b19a85f6dac1014704648d67e55176572bfa71c12d91e7771b68a53ef2e8b4a4c662ed86d7fc900891ecce3125d5fd15dd3cc2f9786d570579228cfc