Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/01/2025, 08:41
Behavioral task
behavioral1
Sample
WarCheats.1.4.2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
WarCheats.1.4.2.exe
Resource
win10v2004-20241007-en
General
-
Target
WarCheats.1.4.2.exe
-
Size
567KB
-
MD5
eb49b0c5ea596425744db67a6b582671
-
SHA1
f095ff16b2fe55903813e7990b989d88976c4bc0
-
SHA256
e93632ca2dd776821778fd0b30ea57df84b3c664d7b370511dcb22013c4826f8
-
SHA512
b99d59f3aa87b1e132c9f233f9ba5d4d5a6ab7768341761f326ff7309f9330e52e3a1141e7cce07c4e97842be703db58e68622c4b84420866eb8440c801e7c84
-
SSDEEP
12288:O+u9nx2GjMY3XKfd/H/9PFfBRTosZecIHt9xI:O+qnT9GH1P1B+sZe/Ht9S
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/2316-1-0x0000000000400000-0x0000000000494000-memory.dmp modiloader_stage2 -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power WarCheats.1.4.2.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend WarCheats.1.4.2.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc WarCheats.1.4.2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\WarCheats.1.4.2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WarCheats.1.4.2.exe" WarCheats.1.4.2.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WarCheats.1.4.2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe 2316 WarCheats.1.4.2.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2316 WarCheats.1.4.2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WarCheats.1.4.2.exe"C:\Users\Admin\AppData\Local\Temp\WarCheats.1.4.2.exe"1⤵
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2316
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2708