Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2024, 13:50
Static task
static1
Behavioral task
behavioral1
Sample
a297af323f6f088bfd429e16f2e42c0c5781d1456c7a7fbb36fd66b2e810e26b.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a297af323f6f088bfd429e16f2e42c0c5781d1456c7a7fbb36fd66b2e810e26b.exe
Resource
win10v2004-20241007-en
General
-
Target
a297af323f6f088bfd429e16f2e42c0c5781d1456c7a7fbb36fd66b2e810e26b.exe
-
Size
999KB
-
MD5
cc51809989809e6f161ebe95b9c409c4
-
SHA1
a15d2a28d813c0ee017c2dcca2f89297d9165c23
-
SHA256
a297af323f6f088bfd429e16f2e42c0c5781d1456c7a7fbb36fd66b2e810e26b
-
SHA512
77c548562f57093220483507845440b7b6b33f266154e7b8d3c9b593a58bd1dd43345f328ba15a9ab0133648cf843c70cee602c18e1aa27520f4bb521af77eb1
-
SSDEEP
24576:YN/BUBb+tYjBFHryjPrjrjhtXRfktHs5BzdUOMYyS:cpUlRhcDjrjhtXRMOOS
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral2/files/0x0008000000023c99-23.dat modiloader_stage2 behavioral2/memory/3900-28-0x0000000000400000-0x000000000046A000-memory.dmp modiloader_stage2 -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation a297af323f6f088bfd429e16f2e42c0c5781d1456c7a7fbb36fd66b2e810e26b.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation lolowkdwqadaefdfasdffsd.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation lol1.exe -
Executes dropped EXE 3 IoCs
pid Process 3196 lolowkdwqadaefdfasdffsd.exe 4044 lol1.exe 3900 lol.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power lol.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys lol.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc lol.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager lol.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys lol.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc lol.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lol.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lol.exe" lol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a297af323f6f088bfd429e16f2e42c0c5781d1456c7a7fbb36fd66b2e810e26b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lolowkdwqadaefdfasdffsd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lol1.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2045521122-590294423-3465680274-1000\{A7688C32-7887-4555-A916-9C9205E90DC3} explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe 3900 lol.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 5080 explorer.exe Token: SeCreatePagefilePrivilege 5080 explorer.exe Token: SeShutdownPrivilege 5080 explorer.exe Token: SeCreatePagefilePrivilege 5080 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 5032 wrote to memory of 1584 5032 a297af323f6f088bfd429e16f2e42c0c5781d1456c7a7fbb36fd66b2e810e26b.exe 83 PID 5032 wrote to memory of 1584 5032 a297af323f6f088bfd429e16f2e42c0c5781d1456c7a7fbb36fd66b2e810e26b.exe 83 PID 5032 wrote to memory of 1584 5032 a297af323f6f088bfd429e16f2e42c0c5781d1456c7a7fbb36fd66b2e810e26b.exe 83 PID 1584 wrote to memory of 3196 1584 cmd.exe 86 PID 1584 wrote to memory of 3196 1584 cmd.exe 86 PID 1584 wrote to memory of 3196 1584 cmd.exe 86 PID 3196 wrote to memory of 4044 3196 lolowkdwqadaefdfasdffsd.exe 87 PID 3196 wrote to memory of 4044 3196 lolowkdwqadaefdfasdffsd.exe 87 PID 3196 wrote to memory of 4044 3196 lolowkdwqadaefdfasdffsd.exe 87 PID 4044 wrote to memory of 3900 4044 lol1.exe 88 PID 4044 wrote to memory of 3900 4044 lol1.exe 88 PID 4044 wrote to memory of 3900 4044 lol1.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\a297af323f6f088bfd429e16f2e42c0c5781d1456c7a7fbb36fd66b2e810e26b.exe"C:\Users\Admin\AppData\Local\Temp\a297af323f6f088bfd429e16f2e42c0c5781d1456c7a7fbb36fd66b2e810e26b.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.cmd" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\lolowkdwqadaefdfasdffsd.exelolowkdwqadaefdfasdffsd.exe -p1323⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\lol1.exe"C:\Users\Admin\AppData\Local\Temp\lol1.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\lol.exe"C:\Users\Admin\AppData\Local\Temp\lol.exe"5⤵
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3900
-
-
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5080
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39B
MD54b9d51163be5a8f47b0120239c50443a
SHA1078be1bb76cd2e50f6602fa4376456203045ff6c
SHA256a79443eb354257843d2b03450e1363c6a792c2c0cadde1e2a4258861ca74d876
SHA512b7e4b42310d957550641460663135107c9edebc937172be625425dad0c3c4398fb2d9a80e60cdc825acab08e29b5fdcc0ba69d95ab3c93778b8ecd70139839a2
-
Filesize
397KB
MD561fc1593c52193d1dad618118d1a2755
SHA13a170a48de81b9ca4b96f7204806857123925b85
SHA256155998a2d38712697799ead332b6022df6f5e057242b5bc0f31134d38a4716b5
SHA512ffd876a23388f693a62c8cbbb903b659fc36be8da704a66a4be8db26b7d8f7387ed7a7d824c96c0c3242104f93d12d4665e6aecafb8b7f686f73b26a0749d292
-
Filesize
521KB
MD56b5c0770e74e8449b50dac816eff2702
SHA1a5a569f3365ad017a88629d984d3626f48b3df83
SHA2563fea9d4dee2f892d5d21b6df7141f149ad772e5d10827f3d15255f6a53fd50dc
SHA51233631d2434130556de3f8d2b6cba3af43e8f0d2a9648385f0ac3d3aa0098f43c75662e5c8efb57d05b2ba16dab9e171958dd6e23b1f189d9a4b644e853765a7d
-
Filesize
704KB
MD53b5d0257561b76baa84d00a3589c6fc8
SHA13ec6384ba63f15e916510c8f2852e3509c8732b0
SHA2560b770d7e3a29f9a20542ef42be88decb17962022f5303b075ae4b12c53f711dc
SHA5120a3761456990956ddb905b981b0053a86f47acf61d6fc2b5d2fb4c3b7b711125c457ae7234ffbc1e9329b0b1c0db234a08454af642892e802d3d096a5e6ffcc3