Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2025, 21:35
Behavioral task
behavioral1
Sample
a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe
Resource
win10v2004-20241007-en
General
-
Target
a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe
-
Size
90KB
-
MD5
5c0a361750036448547f4c5762ab8da4
-
SHA1
57b294b73d2a6ecd6a28b5e188ed56c917d975b4
-
SHA256
a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca
-
SHA512
2a904065807d186dd91225c1893ba867f2a6750545f8ab744cb3124009e7714fce36444d5cc47b6acb7dd2055d70f58158c93d59322052298f9c1427e5f38c95
-
SSDEEP
1536:UiYwjQt6QJvzZsgDIWzm/xsXfv+hYhyQQyV5uv4JBrB7w5VRGulTG1ZCL8nj1oDl:0wjZQJvzZsgsW6/Afv+hYfQIm4/rdE3X
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 4 IoCs
resource yara_rule behavioral2/memory/3596-51-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/3596-55-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/3596-52-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/3596-62-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe -
Executes dropped EXE 3 IoCs
pid Process 2124 csrsll.exe 3312 csrsll.exe 3596 csrsll.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win Pdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrsll.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2548 set thread context of 32 2548 a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe 86 PID 2124 set thread context of 3312 2124 csrsll.exe 95 PID 2124 set thread context of 3596 2124 csrsll.exe 96 -
resource yara_rule behavioral2/memory/2548-0-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/2548-5-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/32-7-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/32-9-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2548-11-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/32-13-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/files/0x000b000000023b84-29.dat upx behavioral2/memory/32-39-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2124-40-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/2124-41-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/3596-50-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/3596-51-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/3596-45-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/3596-55-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/2124-57-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/3596-52-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/32-60-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3312-61-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3596-62-0x0000000000400000-0x0000000000414000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrsll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrsll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrsll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe Token: SeDebugPrivilege 3312 csrsll.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2548 a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe 32 a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe 2124 csrsll.exe 3312 csrsll.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2548 wrote to memory of 32 2548 a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe 86 PID 2548 wrote to memory of 32 2548 a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe 86 PID 2548 wrote to memory of 32 2548 a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe 86 PID 2548 wrote to memory of 32 2548 a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe 86 PID 2548 wrote to memory of 32 2548 a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe 86 PID 2548 wrote to memory of 32 2548 a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe 86 PID 2548 wrote to memory of 32 2548 a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe 86 PID 2548 wrote to memory of 32 2548 a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe 86 PID 32 wrote to memory of 2180 32 a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe 87 PID 32 wrote to memory of 2180 32 a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe 87 PID 32 wrote to memory of 2180 32 a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe 87 PID 2180 wrote to memory of 1472 2180 cmd.exe 90 PID 2180 wrote to memory of 1472 2180 cmd.exe 90 PID 2180 wrote to memory of 1472 2180 cmd.exe 90 PID 32 wrote to memory of 2124 32 a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe 91 PID 32 wrote to memory of 2124 32 a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe 91 PID 32 wrote to memory of 2124 32 a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe 91 PID 2124 wrote to memory of 3312 2124 csrsll.exe 95 PID 2124 wrote to memory of 3312 2124 csrsll.exe 95 PID 2124 wrote to memory of 3312 2124 csrsll.exe 95 PID 2124 wrote to memory of 3312 2124 csrsll.exe 95 PID 2124 wrote to memory of 3312 2124 csrsll.exe 95 PID 2124 wrote to memory of 3312 2124 csrsll.exe 95 PID 2124 wrote to memory of 3312 2124 csrsll.exe 95 PID 2124 wrote to memory of 3312 2124 csrsll.exe 95 PID 2124 wrote to memory of 3596 2124 csrsll.exe 96 PID 2124 wrote to memory of 3596 2124 csrsll.exe 96 PID 2124 wrote to memory of 3596 2124 csrsll.exe 96 PID 2124 wrote to memory of 3596 2124 csrsll.exe 96 PID 2124 wrote to memory of 3596 2124 csrsll.exe 96 PID 2124 wrote to memory of 3596 2124 csrsll.exe 96 PID 2124 wrote to memory of 3596 2124 csrsll.exe 96 PID 2124 wrote to memory of 3596 2124 csrsll.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe"C:\Users\Admin\AppData\Local\Temp\a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe"C:\Users\Admin\AppData\Local\Temp\a6f54199508f0cde2681e6cd8bbfcd84d3204a812cc5af62d2931fb934fc88ca.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NBMVM.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1472
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3312
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3596
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145B
MD54eb61ec7816c34ec8c125acadc57ec1b
SHA1b0015cc865c0bb1a027be663027d3829401a31cc
SHA25608375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff
SHA512f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1
-
Filesize
90KB
MD5015e7d1c987ef84e79ab4135f2bc0500
SHA1c0499068dd3a23b6ca078c1fa92f41359319420d
SHA2562dc50d35bc8c8a3d45ee9962e69b41f36e772059ceccc987e0569c57fbcafb1e
SHA512f76293bfb42ddcc77bf47420d68da71ea098d2e1b0d9ce154f0c6ed1eef255851802bf955a5315337a219405fb2af33c507c0759becbc5ea8eb9be150feefccd