Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/12/2024, 04:14
Behavioral task
behavioral1
Sample
9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe
Resource
win10v2004-20241007-en
General
-
Target
9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe
-
Size
130KB
-
MD5
8a645c37ab849e252f385464850998d0
-
SHA1
39481c520fd61e2a0cb21152738baf0ec0d8ca8f
-
SHA256
9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844
-
SHA512
bfb94bef78a06a154ca13cad7200f1fa57793f3122de4cf810dc17211d9ba7d045022e1fa10942cad37a129873acbb53dd8431f9ddeb07ac6c5e4923bb42e120
-
SSDEEP
1536:mH1ZaQvR1KiX3NK6I+hZhYrt/w5Q6G6IpiRYzz9qJHhhnm0yG5aP/5UROXTmNJ6:6KQJcinxphkG5Q6GdpIOkJHhKRyOXK6
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 6 IoCs
resource yara_rule behavioral2/memory/1748-52-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral2/memory/1748-54-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral2/memory/1748-49-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral2/memory/1748-59-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral2/memory/1748-60-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral2/memory/1748-65-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe -
Executes dropped EXE 3 IoCs
pid Process 3000 Flaseher.exe 4136 Flaseher.exe 1748 Flaseher.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.Flasfh = "C:\\Users\\Admin\\AppData\\Roaming\\..Flash\\Flaseher.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4120 set thread context of 4460 4120 9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe 82 PID 3000 set thread context of 4136 3000 Flaseher.exe 93 PID 3000 set thread context of 1748 3000 Flaseher.exe 94 -
resource yara_rule behavioral2/memory/4120-0-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4120-7-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4460-10-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4460-12-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4460-15-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4120-17-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/files/0x0031000000023b81-32.dat upx behavioral2/memory/4460-43-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3000-42-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3000-44-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3000-45-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3000-58-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4460-61-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4136-63-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flaseher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flaseher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flaseher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe Token: SeDebugPrivilege 4136 Flaseher.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4120 9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe 4460 9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe 3000 Flaseher.exe 4136 Flaseher.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 4120 wrote to memory of 4460 4120 9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe 82 PID 4120 wrote to memory of 4460 4120 9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe 82 PID 4120 wrote to memory of 4460 4120 9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe 82 PID 4120 wrote to memory of 4460 4120 9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe 82 PID 4120 wrote to memory of 4460 4120 9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe 82 PID 4120 wrote to memory of 4460 4120 9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe 82 PID 4120 wrote to memory of 4460 4120 9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe 82 PID 4120 wrote to memory of 4460 4120 9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe 82 PID 4460 wrote to memory of 4856 4460 9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe 85 PID 4460 wrote to memory of 4856 4460 9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe 85 PID 4460 wrote to memory of 4856 4460 9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe 85 PID 4856 wrote to memory of 4964 4856 cmd.exe 88 PID 4856 wrote to memory of 4964 4856 cmd.exe 88 PID 4856 wrote to memory of 4964 4856 cmd.exe 88 PID 4460 wrote to memory of 3000 4460 9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe 89 PID 4460 wrote to memory of 3000 4460 9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe 89 PID 4460 wrote to memory of 3000 4460 9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe 89 PID 3000 wrote to memory of 4136 3000 Flaseher.exe 93 PID 3000 wrote to memory of 4136 3000 Flaseher.exe 93 PID 3000 wrote to memory of 4136 3000 Flaseher.exe 93 PID 3000 wrote to memory of 4136 3000 Flaseher.exe 93 PID 3000 wrote to memory of 4136 3000 Flaseher.exe 93 PID 3000 wrote to memory of 4136 3000 Flaseher.exe 93 PID 3000 wrote to memory of 4136 3000 Flaseher.exe 93 PID 3000 wrote to memory of 4136 3000 Flaseher.exe 93 PID 3000 wrote to memory of 1748 3000 Flaseher.exe 94 PID 3000 wrote to memory of 1748 3000 Flaseher.exe 94 PID 3000 wrote to memory of 1748 3000 Flaseher.exe 94 PID 3000 wrote to memory of 1748 3000 Flaseher.exe 94 PID 3000 wrote to memory of 1748 3000 Flaseher.exe 94 PID 3000 wrote to memory of 1748 3000 Flaseher.exe 94 PID 3000 wrote to memory of 1748 3000 Flaseher.exe 94 PID 3000 wrote to memory of 1748 3000 Flaseher.exe 94 PID 3000 wrote to memory of 1748 3000 Flaseher.exe 94 PID 3000 wrote to memory of 1748 3000 Flaseher.exe 94 PID 3000 wrote to memory of 1748 3000 Flaseher.exe 94 PID 3000 wrote to memory of 1748 3000 Flaseher.exe 94 PID 3000 wrote to memory of 1748 3000 Flaseher.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe"C:\Users\Admin\AppData\Local\Temp\9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Users\Admin\AppData\Local\Temp\9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe"C:\Users\Admin\AppData\Local\Temp\9ab26df88bdb04c268319218d9fc3609243afb5df199977ca0e55c439694a844N.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSTQA.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v ".Flasfh" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4964
-
-
-
C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4136
-
-
C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1748
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145B
MD5da0cbe87b720a79b294147ed6a4b98be
SHA1ebf0dc9efd7a12cb192e355cda87546acb4ab360
SHA2567ccfeff356fdccc9145bd1e263aa1c56360ca7b6552ed5a5665c596d02a627ed
SHA512f55c4a3d24d2f11db5eda3c816d1cd3b8804a171a7bf715b13d60788247fbb352eafaa5bd4e0a8086c1013396be0a48c7bdb904ab0f974fa0c75e81e3d365acc
-
Filesize
130KB
MD5482bffa7aa7199c2e8b07877e8c2d568
SHA1a84401e937c3cb8018c61150bb9cc9704cbae133
SHA2564dfd7ba833f0dcf932e25ea64db059c75c9f65ffe8128160682bfeda8673f6ab
SHA5128d1e962516c108f0e55af23b9665ff9e70fcbf0d17e10bae43878bcb0ace4cb2458a9ed3faf708c1dfe807f52e6a8f872675c98a2481dadb3012242490a0f222