Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/12/2024, 04:14 UTC

General

  • Target

    9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe

  • Size

    130KB

  • MD5

    8a645c37ab849e252f385464850998d0

  • SHA1

    39481c520fd61e2a0cb21152738baf0ec0d8ca8f

  • SHA256

    9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844

  • SHA512

    bfb94bef78a06a154ca13cad7200f1fa57793f3122de4cf810dc17211d9ba7d045022e1fa10942cad37a129873acbb53dd8431f9ddeb07ac6c5e4923bb42e120

  • SSDEEP

    1536:mH1ZaQvR1KiX3NK6I+hZhYrt/w5Q6G6IpiRYzz9qJHhhnm0yG5aP/5UROXTmNJ6:6KQJcinxphkG5Q6GdpIOkJHhKRyOXK6

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modiloader family
  • ModiLoader Second Stage 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe
    "C:\Users\Admin\AppData\Local\Temp\9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4120
    • C:\Users\Admin\AppData\Local\Temp\9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe
      "C:\Users\Admin\AppData\Local\Temp\9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4460
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSTQA.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4856
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v ".Flasfh" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe" /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:4964
      • C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe
        "C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3000
        • C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe
          "C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4136
        • C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe
          "C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1748

Network

  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    69.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    69.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    justgonnatry.hopto.org
    Flaseher.exe
    Remote address:
    8.8.8.8:53
    Request
    justgonnatry.hopto.org
    IN A
    Response
  • flag-us
    DNS
    justgonnatry.hopto.org
    Flaseher.exe
    Remote address:
    8.8.8.8:53
    Request
    justgonnatry.hopto.org
    IN A
    Response
  • flag-us
    DNS
    justgonnatry.hopto.org
    Flaseher.exe
    Remote address:
    8.8.8.8:53
    Request
    justgonnatry.hopto.org
    IN A
    Response
  • flag-us
    DNS
    justgonnatry.hopto.org
    Flaseher.exe
    Remote address:
    8.8.8.8:53
    Request
    justgonnatry.hopto.org
    IN A
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    134.71.91.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.71.91.104.in-addr.arpa
    IN PTR
    Response
    134.71.91.104.in-addr.arpa
    IN PTR
    a104-91-71-134deploystaticakamaitechnologiescom
  • flag-us
    DNS
    justgonnatry.hopto.org
    Flaseher.exe
    Remote address:
    8.8.8.8:53
    Request
    justgonnatry.hopto.org
    IN A
    Response
  • flag-us
    DNS
    justgonnatry.hopto.org
    Flaseher.exe
    Remote address:
    8.8.8.8:53
    Request
    justgonnatry.hopto.org
    IN A
    Response
  • flag-us
    DNS
    justgonnatry.hopto.org
    Flaseher.exe
    Remote address:
    8.8.8.8:53
    Request
    justgonnatry.hopto.org
    IN A
    Response
  • flag-us
    DNS
    justgonnatry.hopto.org
    Flaseher.exe
    Remote address:
    8.8.8.8:53
    Request
    justgonnatry.hopto.org
    IN A
    Response
  • flag-us
    DNS
    justgonnatry.hopto.org
    Flaseher.exe
    Remote address:
    8.8.8.8:53
    Request
    justgonnatry.hopto.org
    IN A
    Response
  • flag-us
    DNS
    justgonnatry.hopto.org
    Flaseher.exe
    Remote address:
    8.8.8.8:53
    Request
    justgonnatry.hopto.org
    IN A
    Response
  • flag-us
    DNS
    justgonnatry.hopto.org
    Flaseher.exe
    Remote address:
    8.8.8.8:53
    Request
    justgonnatry.hopto.org
    IN A
    Response
  • flag-us
    DNS
    justgonnatry.hopto.org
    Flaseher.exe
    Remote address:
    8.8.8.8:53
    Request
    justgonnatry.hopto.org
    IN A
    Response
  • flag-us
    DNS
    justgonnatry.hopto.org
    Flaseher.exe
    Remote address:
    8.8.8.8:53
    Request
    justgonnatry.hopto.org
    IN A
    Response
  • flag-us
    DNS
    justgonnatry.hopto.org
    Flaseher.exe
    Remote address:
    8.8.8.8:53
    Request
    justgonnatry.hopto.org
    IN A
    Response
  • flag-us
    DNS
    justgonnatry.hopto.org
    Flaseher.exe
    Remote address:
    8.8.8.8:53
    Request
    justgonnatry.hopto.org
    IN A
    Response
  • flag-us
    DNS
    justgonnatry.hopto.org
    Flaseher.exe
    Remote address:
    8.8.8.8:53
    Request
    justgonnatry.hopto.org
    IN A
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    justgonnatry.hopto.org
    Flaseher.exe
    Remote address:
    8.8.8.8:53
    Request
    justgonnatry.hopto.org
    IN A
    Response
  • flag-us
    DNS
    justgonnatry.hopto.org
    Flaseher.exe
    Remote address:
    8.8.8.8:53
    Request
    justgonnatry.hopto.org
    IN A
    Response
  • flag-us
    DNS
    justgonnatry.hopto.org
    Flaseher.exe
    Remote address:
    8.8.8.8:53
    Request
    justgonnatry.hopto.org
    IN A
    Response
  • flag-us
    DNS
    justgonnatry.hopto.org
    Flaseher.exe
    Remote address:
    8.8.8.8:53
    Request
    justgonnatry.hopto.org
    IN A
    Response
  • flag-us
    DNS
    justgonnatry.hopto.org
    Flaseher.exe
    Remote address:
    8.8.8.8:53
    Request
    justgonnatry.hopto.org
    IN A
    Response
No results found
  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    69.31.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    69.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    justgonnatry.hopto.org
    dns
    Flaseher.exe
    68 B
    128 B
    1
    1

    DNS Request

    justgonnatry.hopto.org

  • 8.8.8.8:53
    justgonnatry.hopto.org
    dns
    Flaseher.exe
    68 B
    128 B
    1
    1

    DNS Request

    justgonnatry.hopto.org

  • 8.8.8.8:53
    justgonnatry.hopto.org
    dns
    Flaseher.exe
    68 B
    128 B
    1
    1

    DNS Request

    justgonnatry.hopto.org

  • 8.8.8.8:53
    justgonnatry.hopto.org
    dns
    Flaseher.exe
    68 B
    128 B
    1
    1

    DNS Request

    justgonnatry.hopto.org

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    134.71.91.104.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    134.71.91.104.in-addr.arpa

  • 8.8.8.8:53
    justgonnatry.hopto.org
    dns
    Flaseher.exe
    68 B
    128 B
    1
    1

    DNS Request

    justgonnatry.hopto.org

  • 8.8.8.8:53
    justgonnatry.hopto.org
    dns
    Flaseher.exe
    68 B
    128 B
    1
    1

    DNS Request

    justgonnatry.hopto.org

  • 8.8.8.8:53
    justgonnatry.hopto.org
    dns
    Flaseher.exe
    68 B
    128 B
    1
    1

    DNS Request

    justgonnatry.hopto.org

  • 8.8.8.8:53
    justgonnatry.hopto.org
    dns
    Flaseher.exe
    68 B
    128 B
    1
    1

    DNS Request

    justgonnatry.hopto.org

  • 8.8.8.8:53
    justgonnatry.hopto.org
    dns
    Flaseher.exe
    68 B
    128 B
    1
    1

    DNS Request

    justgonnatry.hopto.org

  • 8.8.8.8:53
    justgonnatry.hopto.org
    dns
    Flaseher.exe
    68 B
    128 B
    1
    1

    DNS Request

    justgonnatry.hopto.org

  • 8.8.8.8:53
    justgonnatry.hopto.org
    dns
    Flaseher.exe
    68 B
    128 B
    1
    1

    DNS Request

    justgonnatry.hopto.org

  • 8.8.8.8:53
    justgonnatry.hopto.org
    dns
    Flaseher.exe
    68 B
    128 B
    1
    1

    DNS Request

    justgonnatry.hopto.org

  • 8.8.8.8:53
    justgonnatry.hopto.org
    dns
    Flaseher.exe
    68 B
    128 B
    1
    1

    DNS Request

    justgonnatry.hopto.org

  • 8.8.8.8:53
    justgonnatry.hopto.org
    dns
    Flaseher.exe
    68 B
    128 B
    1
    1

    DNS Request

    justgonnatry.hopto.org

  • 8.8.8.8:53
    justgonnatry.hopto.org
    dns
    Flaseher.exe
    68 B
    128 B
    1
    1

    DNS Request

    justgonnatry.hopto.org

  • 8.8.8.8:53
    justgonnatry.hopto.org
    dns
    Flaseher.exe
    68 B
    128 B
    1
    1

    DNS Request

    justgonnatry.hopto.org

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    justgonnatry.hopto.org
    dns
    Flaseher.exe
    68 B
    128 B
    1
    1

    DNS Request

    justgonnatry.hopto.org

  • 8.8.8.8:53
    justgonnatry.hopto.org
    dns
    Flaseher.exe
    68 B
    128 B
    1
    1

    DNS Request

    justgonnatry.hopto.org

  • 8.8.8.8:53
    justgonnatry.hopto.org
    dns
    Flaseher.exe
    68 B
    128 B
    1
    1

    DNS Request

    justgonnatry.hopto.org

  • 8.8.8.8:53
    justgonnatry.hopto.org
    dns
    Flaseher.exe
    68 B
    128 B
    1
    1

    DNS Request

    justgonnatry.hopto.org

  • 8.8.8.8:53
    justgonnatry.hopto.org
    dns
    Flaseher.exe
    68 B
    128 B
    1
    1

    DNS Request

    justgonnatry.hopto.org

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DSTQA.bat

    Filesize

    145B

    MD5

    da0cbe87b720a79b294147ed6a4b98be

    SHA1

    ebf0dc9efd7a12cb192e355cda87546acb4ab360

    SHA256

    7ccfeff356fdccc9145bd1e263aa1c56360ca7b6552ed5a5665c596d02a627ed

    SHA512

    f55c4a3d24d2f11db5eda3c816d1cd3b8804a171a7bf715b13d60788247fbb352eafaa5bd4e0a8086c1013396be0a48c7bdb904ab0f974fa0c75e81e3d365acc

  • C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe

    Filesize

    130KB

    MD5

    482bffa7aa7199c2e8b07877e8c2d568

    SHA1

    a84401e937c3cb8018c61150bb9cc9704cbae133

    SHA256

    4dfd7ba833f0dcf932e25ea64db059c75c9f65ffe8128160682bfeda8673f6ab

    SHA512

    8d1e962516c108f0e55af23b9665ff9e70fcbf0d17e10bae43878bcb0ace4cb2458a9ed3faf708c1dfe807f52e6a8f872675c98a2481dadb3012242490a0f222

  • memory/1748-49-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/1748-65-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/1748-52-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/1748-59-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/1748-54-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/1748-60-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/3000-45-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3000-44-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3000-58-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3000-42-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4120-9-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

    Filesize

    4KB

  • memory/4120-3-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

    Filesize

    4KB

  • memory/4120-5-0x0000000002C20000-0x0000000002C21000-memory.dmp

    Filesize

    4KB

  • memory/4120-4-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

    Filesize

    4KB

  • memory/4120-8-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

    Filesize

    4KB

  • memory/4120-17-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4120-6-0x0000000002C90000-0x0000000002C91000-memory.dmp

    Filesize

    4KB

  • memory/4120-7-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4120-14-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

    Filesize

    4KB

  • memory/4120-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4136-63-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/4460-12-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/4460-43-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/4460-61-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/4460-15-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/4460-10-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.