Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01/01/2025, 08:41
Behavioral task
behavioral1
Sample
WarCheats.1.4.2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
WarCheats.1.4.2.exe
Resource
win10v2004-20241007-en
General
-
Target
WarCheats.1.4.2.exe
-
Size
567KB
-
MD5
eb49b0c5ea596425744db67a6b582671
-
SHA1
f095ff16b2fe55903813e7990b989d88976c4bc0
-
SHA256
e93632ca2dd776821778fd0b30ea57df84b3c664d7b370511dcb22013c4826f8
-
SHA512
b99d59f3aa87b1e132c9f233f9ba5d4d5a6ab7768341761f326ff7309f9330e52e3a1141e7cce07c4e97842be703db58e68622c4b84420866eb8440c801e7c84
-
SSDEEP
12288:O+u9nx2GjMY3XKfd/H/9PFfBRTosZecIHt9xI:O+qnT9GH1P1B+sZe/Ht9S
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral2/memory/3340-1-0x0000000000400000-0x0000000000494000-memory.dmp modiloader_stage2 -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager WarCheats.1.4.2.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys WarCheats.1.4.2.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc WarCheats.1.4.2.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power WarCheats.1.4.2.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys WarCheats.1.4.2.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc WarCheats.1.4.2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WarCheats.1.4.2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WarCheats.1.4.2.exe" WarCheats.1.4.2.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WarCheats.1.4.2.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1045960512-3948844814-3059691613-1000\{D3972D08-A959-4B2B-A9AE-78A67A7A2E5A} explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe 3340 WarCheats.1.4.2.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 220 explorer.exe Token: SeCreatePagefilePrivilege 220 explorer.exe Token: SeShutdownPrivilege 220 explorer.exe Token: SeCreatePagefilePrivilege 220 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WarCheats.1.4.2.exe"C:\Users\Admin\AppData\Local\Temp\WarCheats.1.4.2.exe"1⤵
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3340
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:220